By logging in using Entra ID login, users no longer have to select and remember a local password to Cinode - your users are logged in via their Entra ID credentials.
Using the Entra ID login credentials, you can enable Single-Sign-On and two-factor authentication. If you set up User Provisioning, you will no longer need to manually add and disconnect employees to Cinode—the user administration is done via the Entra ID.
The benefits of using Entra ID
Enhanced Security and Compliance: Entra ID offers advanced security features like multi-factor authentication and comprehensive auditing, improving overall security and ensuring compliance with industry regulations.
Streamlined User Management: Centralized identity management, automated workflows, and real-time access updates simplify user administration, making onboarding and offboarding processes smoother and more efficient.
Improved User Experience and Integration: Single Sign-On (SSO) and seamless integration with Microsoft services enhance the user experience by providing consistent access across multiple applications with a single set of credentials.
How to get started
Entra ID SSO is a paid add-on to your current Cinode plan. Contact Cinode support to enable the functionality. You need to be an Administrator in Cinode and in the Entra ID to set up the integration.
First setup - how to do it
First, you'll need to approve the Cinode application using your Entra ID. This is done by setting up Single Sign-On (SSO) for one user and then logging in to Cinode as that user via SSO.
Add the login type
Go to the link Administration in the sidebar and select Integrations:
2. On the Integrations page, select the tab Account types.
3. Click the button Activate new account type:
4. Select "Aad" as the account type in the dropdown menu and click Save.
5. Entra ID (Aad) will now be displayed as an added account type:
Set up SSO for a user
When AAD login type is enabled, the SSO must be set for the user. This is done by adding the unique user identifier (Object ID) from your Entra ID to each user account in Cinode. Once you have retrieved the Object ID for your user from your Entra ID:
Go to the link Administration in the sidebar and select Users:
2. Click the options menu, indicated by the three vertical dots on a user:
3. Select Edit login type and select ADD :
4. Finally, add the unique ObjectID that you retrieved from Entra ID related to the specific user in the "Object Identifier" field:
When done, log out of Cinode and log in via SSO as the same user.
You will receive a request to approve the Cinode application in Entra ID. If you have administrator access to Entra, you can approve it directly. If not, you will need to send a request to have the Cinode application approved.
Please note that it is possible to mix login methods; some users may log in via SSO, while others use a password. In such cases, you must add both "Aad" and "Password" as account types. Additionally, you will need to include an Object ID for users who log in via SSO.
Configure Cinode to support provisioning with Azure AD
Preparations & Prerequisites:
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).
A user account in Cinode with administrator rights.
Capabilities supported
✅ Create users in Cinode
✅ Disconnect users in Cinode when they no longer require access
✅ Keep user attributes synchronized between Entra ID and Cinode
✅ Provision Security groups to team memberships in Cinode
✅ Provision Permission level (Roles) to Cinode via Security groups
Step 1. Plan your provisioning deployment
Learn about how the provisioning service works.
Determine who will be in scope for provisioning.
Determine what data to map between Azure AD and Cinode.
Step 2. Configuration in Cinode to support provisioning with Entra ID
Sign in to Cinode with a user account that has Administrator rights. Navigate to Administration.
Navigate to Integrations -> Tokens
Choose “create a new SCIM token” in Cinode (image below)
Enter an appropriate name and expiry date. For example, one year ahead. Note that when this date expires, the integration will not work anymore, so we recommend creating a reminder of this date.
Click Create token.
Copy the Tenant URL and the Token. You will enter these values in the Provisioning tab of your Cinode application in the Entra portal.
Step 3. In Entra ID: Add Cinode from the Enterprise application gallery
Add the Cinode app via Enterprise Applications to start managing provisioning to Cinode. If you have previously set up Cinode for SSO, you can use the same application. However, it is recommended to create a separate app when initially testing the integration. You can learn more about adding an application from the gallery here.
Step 4. Define who will be in scope for provisioning
The Entra ID provisioning service allows you to determine who will be provisioned based on application assignment and/or user/group attributes. To scope provisioning based on assignment, follow these steps to assign users and groups to the application. When Secrutiry groups are synced to Cinode, they will end up as new teams in Cinode. It is possible to map Secruity groups towards existing teams in Cinode.
To scope provisioning based solely on user or group attributes, use a scoping filter as described here.
When assigning users and groups to Cinode, select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only available role is Default Access, update the application manifest to add additional roles.
Start small by testing with a limited group of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. If the scope is set to all users and groups, you can specify an attribute-based scoping filter attribute based scoping filter.
Step 5. How to set up User Provisioning in Microsoft Entra
This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users and/or groups in Microsoft Entra.
To configure automatic user provisioning for Cinode in Azure AD:
Sign in to the Entra portal. Select Enterprise Applications, then select All applications.
In the applications list, select Cinode.
Select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, input the SCIM 2.0 base URL and Authentication Token values retrieved earlier in Cinode.
Click Test Connection to ensure Microsoft Entra can connect to Cinode. If the connection fails, ensure your Cinode account has Admin permissions and try again.
In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.
Select Save.
Mapping attributes
You can sync attributes from Microsoft Entra to Cinode.
Under the Mappings section, select Synchronize Azure Active Directory Users to Cinode.
Review the user attributes that are synchronized from Microsoft Entra to Cinode in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in Cinode for update operations. If you choose to change the matching target attribute, you must ensure that the Cinode API supports filtering users based on that attribute.
Select the Save button to commit any changes.
Attribute | Type | Cinode name |
userName | String | username |
name.givenName | String | first name |
name.familyName | String | last name |
externalId | String | externalId |
active | Boolean | status |
title | String | title (admin setting) |
addresses[type eq "work"].locality | String | location |
phoneNumbers[type eq "work"].value | String | phone |
employeeNumber | String | employmentNumber |
employmentStartDate | String | employmentStartDate |
In order to connect existing users in Cinode to Microsoft Entra accounts via the matching object e-mail - note that you need to update the Attribut externId to Apply the mapping - Always:
10. Under the Mappings section, select Synchronize Azure Active Directory Groups to Cinode.
11. Review the group attributes that are synchronized from Azure AD to Cinode in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the groups in Cinode for update operations. Select the Save button to commit any changes.
Attribute | Type |
displayName | String |
externalId | String |
members | Reference |
12. To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial.
14. In order to test inte integration - try to Provisioning on demand a user. If the user already exists in Cinode - the login credentials will be changed. You can see it by checking the login type
If the objectID is imported to user - the provisioning is working:
If you are provisioning a new user - the user will be visible in Cinode.
13. To enable the Microsoft Entra provisioning service for Cinode, change the Provisioning Status to On in the Settings section.
14. Define the users and/or groups that you would like to provision to Cinode by choosing the desired values in Scope in the Settings section.
This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.