Skip to main content

Intro

Microsoft’s Entra application gallery is a collection of software as a service (SaaS) applications preintegrated with Microsoft Entra ID. Users can search for and deploy apps that are tested and certified by Microsoft. Both Premium and Standard users can integrate with Domo for Single Sign-On (SSO). To set up SSO, you must have a Domo Admin system role or a custom role with the Manage All Company Settings grant enabled. Learn more about grants and custom roles. This article describes how to implement SSO with Entra ID.

Implement SSO with Entra ID

Important: You are responsible for properly setting up your Entra ID instance. This includes creating a directory, adding users to the directory, and entering all user information. For more information, you can read Microsoft Entra’s tutorial for SSO integration with Domo .
  1. Sign in to the Microsoft Entra admin center, at least as a Cloud Application Administrator.
  2. Go to Identity > Applications > Enterprise applications > Domo > Single sign-on.
  3. On the Select a single sign-on method page, select SAML.
  4. On the Set up single sign-on with SAML page, select Edit.
    edit callout.png
  5. In a separate browser tab, log into Domo as an Admin user and navigate to More > Admin to view the Admin Settings.
  6. Under Authentication, select SAML (SSO).
    select saml.jpg
  7. On the SAML (SSO) page, select Start Setup > Manual setup.
    manual setup.jpg
  8. Under Information your IdP may need, copy the URL in the SAML Assertion Endpoint URL field up to “.com” (the highlighted portion in the image below). This will be used for both the Entra Sign On URL and Identifier (Entity ID) fields.
    highlighed portion.jpg
  9. Return to the Entra browser tab.
  10. In the Basic SAML Configuration section, enter the values for the following fields:
    1. In the Sign on URL text box, paste the URL you copied from Domo.
    2. In the Identifier (Entity ID) text box, paste the same URL you copied from Domo.
  11. Copy the URL from the Login URL field. (Note that this URL is the same as the one in the Logout URL.) Note: You may ignore the Microsoft Entra ID Identifier URL as this is not used.
    login url callout.png
  12. Return to Domo.
  13. Under Information from your IdP, paste the URL from the previous step into the Identity provider endpoint URL field.
    Screenshot 2025-02-11 at 12.15.20 PM.png
  14. In the Entity ID field, paste the value from step 8 (the highlighted portion).
    Screenshot 2025-02-11 at 12.18.11 PM.png
  15. Return to Entra.
  16. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it to your computer.
    SAML_Signing_Certificate.png
  17. Return to Domo.
  18. Under Information from your IdP, select Upload (up arrow icon) in the Upload x.509 certificate to authenticate request field and add the Base64 certificate you just downloaded.
    Screenshot 2025-02-11 at 2.32.04 PM.png
  19. (Optional) Check the boxes under Advanced settings to configure them. A few are defined below:
    • Only invited people can access Domo — This prevents Entra ID users from logging into Domo through SSO until they are invited to Domo. (By default, when SSO is enabled in Domo, any user in your Entra ID directory can log into Domo.)
    • Import guests from identity provider — This copies your groups from Entra to Domo. Note: Entra doesn’t currently support groups that represent company departments, so Domo doesn’t recommend enabling this option.
      Note: Entra sometimes imports the Group ID rather than the name of the group. You can edit the group name in the Domo Admin Settings under Governance > Groups.
  20. At the top of the Single Sign-On (SSO) page, toggle the switch labeled Enable SSO.
  21. Return to Entra.
  22. Before continuing, you must configure your Domo SAML token attributes. If you don’t, then the Entra ID default settings will be used and usernames within Domo will be overwritten with email addresses.
  23. To configure your SAML token attributes, select ATTRIBUTES.
    azure_ad_attributes.png
  24. Configure the user information that is sent to Domo. Domo accepts the following attribute names, and Entra allows you to assign values. When defining attributes passed back to Domo, use the attribute names listed in the table below. The email attribute is required; all others are optional.
    Important: All attribute names should be lowercase except for SAML\_SUBJECT attribute. The Domo Attribute Key value should match the SSO provider’s attribute name so the values can map back properly.

Attribute

Description

name

The full name of the user

name.personal

The user’s first name

name.family

The user’s last name

email*

The email address of the user

email.secondary

A secondary email address for the user

title

The job title of the user

user.phone

The primary phone number of the user, usually a mobile phone number

desk.phone

The number for the user’s desk phone

group

The group that the user belongs to, usually a department name

role

The user’s role in the company

employee. id

The user’s employee ID

hire.date

The user’s hire date

title

The user’s job title

department

The user’s department in the company

location

The company location for the user

locale

The user’s locale, which determines settings such as number formats, measurements, etc.

timezone

The user’s time zone

Attributes marked with an asterisk (*) are required. The email can appear in two places in the SAML assertion—as the subject and the email attribute. Either will be accepted.
Tip : Due to the way that Entra ID supports groups, Domo doesn’t recommend sending a “group” attribute.
The next few steps explain how to set the name and email attributes within Entra ID.
  1. Below are the default Entra ID attributes. Delete all rows (except for the first row, which cannot be removed). To delete a row, hover over it and select the Delete (x icon). Delete rows with names ending in claims/givenname, claims/surname, claims/emailaddress, and claims/name.
    delete row.jpg
    If you make a mistake, Entra allows you to “reset to default” and start over. After you delete the unnecessary rows, your list should look like the list below. It contains only one row with a name ending in claims/nameidentifier.
    azure_ad_deleted_rows.png
  2. Add two new rows for name and email with values that Domo expects.
    1. To add a row for name, do the following:
      1. Select add user attribute. The Add User Attribute modal displays.
      2. Enter name in the ATTRIBUTE NAME field.
      3. Select user.displayname in the ATTRIBUTE VALUE dropdown.
        azure_ad_add_user_attribute_1.png
      4. Select the checkmark at the bottom right of the modal.
      Note: Display Name is the default field that contains the user’s full name. If you customize this field or do not use it, you may need to contact the Entra team for help in identifying which field to use to get the user’s full name.
    2. To add a row for email, do the following:
      1. Select add user attribute. The Add User Attribute modal displays.
      2. Enter email in the ATTRIBUTE NAME field.
      3. Select “user.mail” in the ATTRIBUTE VALUE dropdown.
        azure_ad_add_user_attribute_2.png
      4. Select the checkmark at the bottom right of the modal. Your final attributes should look like the screenshot below:
        azure_ad_final_attributes.png
    3. (Optional) If you want to add a title, phone, and/or group, do so now using the same workflow that you did for name and email.
  3. Select Apply Changes. This concludes the SSO setup within Entra.
  4. In Domo, select Save Config.

Test Connection to Domo

Test your connection in Domo by clicking the Test Config button at the top of the Single Sign-On (SSO) page. Note: Entra may take up to five minutes to apply your settings, so the connection test may not immediately work. If you followed all the implementation steps correctly, you should see a success message. If not, review the above steps or contact Domo Support .