Skip to content

SSO Azure Security Permissions

Minimum Security

  • TLS 1.2+ on all endpoints.

  • Signed assertions (RSA 2048+).

  • Store PEM securely. Limit access.

Role & Group Mapping

  • Provide group-to-role CSV or JSON.

  • Map least-privilege groups to Admin, Developer, Viewer.

  • Test mapping with non-admin accounts.

Certificate Rotation

  1. Generate new certificate on Azure

    Generate the new certificate/keys in Azure.

  2. Upload metadata/PEM to SailPoint Entro staging

    Upload the new metadata and PEM to the SailPoint Entro staging environment.

  3. Test with a test user

    Verify authentication and assertions using a test user account.

  4. Schedule cutover and revoke old cert after validation

    Perform cutover once validation succeeds, then revoke the old certificate.

Diagnostics & Logs

  • Check Azure Sign-in logs and SailPoint Entro SSO logs.

  • Capture assertion_id, issuer, email, and timestamps.

Capture the following fields when reviewing diagnostics and logs:

  • assertion_id

  • issuer

  • email

  • timestamps

Recovery

  • Keep an emergency local admin not bound to SSO.

  • Document rollback steps and test quarterly.