Microsoft Entra ID
Configure Hawcx as a SAML identity provider with Microsoft Entra ID (Azure AD)
This guide walks through federating a domain in Microsoft Entra ID (formerly Azure AD) so that login requests are redirected to Hawcx, then configuring SCIM to keep user accounts in sync.
Prerequisites
Before starting, make sure you have:
- Hawcx SSO credentials from Hawcx support (project ID, signing certificate, SCIM bearer token)
- Azure CLI installed and authenticated (
az login) - Global Administrator or equivalent role in your Entra tenant
- A custom domain verified in Entra for the subdomain you want to federate
Need credentials?
If you don't have your Hawcx project ID, signing certificate, and SCIM token yet, contact [email protected] to provision SSO for your organization.
Throughout this guide, replace the following placeholders with your actual values:
| Placeholder | Description |
|---|---|
your-domain.example.com | The domain or subdomain you are federating |
your-project-id | Your Hawcx project ID |
your-signing-certificate | The base64-encoded signing certificate from Hawcx |
your-scim-token | The SCIM bearer token from Hawcx |
Phase 1: Domain Federation
This phase configures Entra to redirect authentication for your federated domain to Hawcx.
Add a custom subdomain
In the Azure portal, navigate to Default Directory > Custom domain names > Add custom domain and enter your subdomain (e.g., your-domain.example.com).
Follow the DNS verification steps if you haven't already verified this domain.
Promote the subdomain (subdomains only)
By default, a subdomain inherits federation settings from its parent domain. Promote it so it can carry its own federation configuration:
az rest \
--method POST \
--url "https://graph.microsoft.com/v1.0/domains/your-domain.example.com/promote"Expected response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean",
"value": true
}Subdomains only
The promote endpoint is designed for subdomains (e.g., pilot.yourcompany.com). Do not run promote on a root domain (e.g., yourcompany.com). Promoting a root domain can create an orphaned internal federation object that causes the federation POST in the next step to fail silently. If you are federating a root domain, skip this step entirely and proceed directly to creating the federation configuration.
Create the federation configuration
Save the following as federation_config.json, replacing the placeholder values:
{
"@odata.type": "microsoft.graph.internalDomainFederation",
"issuerUri": "https://sandbox.hawcx.com/v1/saml/metadata?project_id=your-project-id",
"passiveSignInUri": "https://sandbox.hawcx.com/v1/saml/sso?project_id=your-project-id",
"metadataExchangeUri": "https://sandbox.hawcx.com/v1/saml/metadata?project_id=your-project-id",
"signingCertificate": "your-signing-certificate",
"preferredAuthenticationProtocol": "saml",
"federatedIdpMfaBehavior": "acceptIfMfaDoneByFederatedIdp"
}The federatedIdpMfaBehavior setting tells Entra to accept MFA performed by Hawcx rather than requiring a second MFA challenge.
Apply the federation configuration
Post the configuration to the Microsoft Graph API:
az rest \
--method POST \
--url "https://graph.microsoft.com/v1.0/domains/your-domain.example.com/federationConfiguration" \
--body "@federation_config.json" \
--headers "Content-Type=application/json"Verify federation is active
Confirm the domain is now federated:
az rest \
--method GET \
--url "https://graph.microsoft.com/v1.0/domains/your-domain.example.com"Look for this field in the response:
"authenticationType": "Federated"If you see "Managed" instead, the federation configuration was not applied. Double-check the domain name and re-run the POST command.
Phase 2: Enterprise Application and SCIM
This phase creates an enterprise application in Entra and configures SCIM to provision users to Hawcx.
Create the enterprise application
- Go to entra.microsoft.com
- Navigate to Applications > Enterprise applications
- Click New application
- Click Create your own application
- Name it (e.g., "Hawcx SSO")
- Select Integrate any other application you don't find in the gallery (Non-gallery)
- Click Create
Assign users or groups
In the enterprise application, go to Users and groups and assign the users or groups that should authenticate through Hawcx.
You can assign individual users or a security group that contains your SSO users.
Configure SCIM provisioning
- In the enterprise application, go to Provisioning
- Click Get started
- Under Admin Credentials, enter:
| Field | Value |
|---|---|
| Tenant URL | https://sandbox.hawcx.com/v1/scim/your-project-id/ |
| Secret Token | your-scim-token |
- Click Test Connection. You should see: "The supplied credentials are authorized to enable provisioning"
- Click Save
Configure attribute mappings
Navigate to Provisioning > Mappings > Provision Azure Active Directory Users and set up the following mappings:
| Entra Attribute | SCIM Attribute |
|---|---|
userPrincipalName | userName |
displayName | displayName |
givenName | name.givenName |
surname | name.familyName |
mail | emails[type eq "work"].value |
objectId | externalId |
Important
Map externalId to Entra's objectId, not mailNickname. This is a common misconfiguration that causes provisioning to silently fail.
Start provisioning
You have two options:
Automatic sync starts a background cycle that provisions all assigned users within 20 to 40 minutes. Go to Provisioning > Overview and click Start provisioning.
Provision on demand lets you provision specific users immediately. Go to Provisioning > Provision on demand, select the users, and click Provision. This is useful for initial testing before enabling the full sync.
Phase 3: Testing and Validation
Once federation and SCIM provisioning are configured, validate the end-to-end login flow.
Verify SCIM provisioning
Before testing login, confirm that your test users have been provisioned:
- In Entra, go to Provisioning > Provisioning logs
- Verify that user creation events show a status of Success
- Check that the provisioned attributes (display name, email) are correct
Test the login flow
Log in to your application using a federated user's email address. The expected flow is:
- The application redirects to Hawcx
- Hawcx authenticates the user (device-bound authentication)
- After authentication, the user is redirected back to the application with an active session
Verify:
- The application redirects to Hawcx (not to a password prompt)
- Hawcx authentication completes successfully
- The user lands back in the application with a valid session
- User attributes (display name, email) appear correctly
Troubleshooting
| Issue | Possible Cause |
|---|---|
| Redirect goes to Microsoft login instead of Hawcx | Domain is not federated. Run the GET verification command from Phase 1 to check authenticationType |
| SCIM test connection fails | Verify the tenant URL includes a trailing slash and the bearer token is correct |
| Users not provisioned | Check attribute mappings, especially externalId. Review provisioning logs in Entra |
| SAML assertion rejected | Signing certificate may be expired or mismatched. Contact Hawcx support for a new certificate |
| MFA prompted twice | Verify federatedIdpMfaBehavior is set to acceptIfMfaDoneByFederatedIdp in the federation config |
Federation POST succeeds but domain stays Managed | You may have run the promote endpoint on a root domain. Promote is only for subdomains. For root domains, skip the promote step and POST the federation config directly |