Table of contents
Modern organisations often rely on identity providers (IdPs) such as Entra ID (Azure AD), Okta, Google, or Ping Identity. These platforms streamline authentication, reduce password fatigue, and centralise user management - all of which help IT teams keep things running smoothly (and securely) without chasing down forgotten passwords.
With Entra ID, you can federate your Fugo account and enable Single Sign-On (SSO), allowing seamless access to Fugo via your organisation’s credentials.
This guide covers both cloud-only Entra ID (pure Azure/Entra accounts) and hybrid identity setups (Active Directory synchronized with Entra ID).
Prerequisites
Administrator access to the Entra ID (Azure AD) Portal.
Administrator access to your Fugo account.
For hybrid setups: Entra Connect must be operational, synchronizing your on-premises Active Directory to Entra ID.
Add Fugo SSO application to Entra ID
Sign in to the Entra ID Portal with an admin account.
Navigate to Identity > Applications > Enterprise Applications.
Click New Application.
Select Create your own application (Fugo is not in the gallery yet).
Name the app (e.g., “Fugo SSO”) and select Integrate any other application you don’t find in the gallery.
Click Create. You’ll be taken to the app’s overview page.
Basic SAML configuration (dummy values)
At this point, you won't have the real values from Fugo just yet - but that’s expected. We'll plug those in once the connection is made.
Use placeholder values for now:
Go to Single sign-on in your new app and select SAML.
Under Basic SAML Configuration, click Edit.
Enter the following dummy values:
Identifier (Entity ID): https://dummy.value
Reply URL (ACS): https://dummy.value
Save your changes. You will update these values later.
Attributes & claims
In the SAML configuration, go to Attributes & Claims and click Edit.
Add a new claim:
Name: fugo_role
Source: As required for your role mapping
To assign users to Fugo spaces, add another claim:
Name: fugo_space
Source: As required
Save any changes.
Mapping Fugo role & space claims
Now that you’ve created your claims, let’s talk about what to map them to - this ensures users land in the right places with the right permissions in Fugo.
When adding the fugo_role and fugo_space claims, you’ll want these to reflect the actual user roles and space memberships in Fugo. This is usually achieved by mapping them to attributes or group memberships in Entra ID.
For cloud-only users
If you manage all users directly in Entra ID, you can:
Use user attributes (such as jobTitle, department, or custom attributes) as the source for your claims.
Alternatively, use group membership to set role or space claims.
For hybrid (Active Directory + Entra) users
If your users are synchronised from on-premises AD, you'll typically want to:
Use AD attributes (synced into Entra as part of the user profile) as the claim source.
Or, use group membership - assigning users to AD groups (which sync to Entra).
How to configure
Let’s walk through how to actually map these attributes or groups to your SAML claims.
In Attributes & Claims, click Add new claim.
For Name, enter fugo_role or fugo_space.
For Source, choose:
Attribute: Select the appropriate user attribute (e.g. department, extensionAttribute1, etc.).
Group: If using group membership, select Transformation → Join group names (or similar, depending on Entra UI).
If using group-based roles or spaces, ensure your on-premises AD groups are synchronised to Entra and assigned to the Fugo SSO app.
Click Save.
Example:
To set a user’s Fugo role from an AD attribute (e.g. extensionAttribute1), map fugo_role to that attribute.
To assign a Fugo space based on group, create a group claim, or use group name transformation.
Note: For users logging in via IdP-initiated SSO, these claims will be included in the SAML response, ensuring Fugo receives the correct role and space data automatically.
SAML certificates
Under SAML Certificates, download the Base64 certificate.
Open the certificate file and copy the contents (excluding the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- lines).
You’ll need this for the Fugo SSO configuration.
Assign users & roles in Entra ID
Almost there! Before anyone can use SSO, you’ll need to assign them to the app in Entra.
In the app’s overview, select Users and groups.
Click Add user/group and assign users who need access to Fugo.
Optionally, assign roles if you have configured role-based access.
Hybrid deployments
If your users are synchronised from on-premises Active Directory, ensure they appear in Entra ID and are assigned to the Fugo SSO app.
Configure Fugo SSO
Log into your Fugo account.
Go to Account Settings > Single Sign On.
Enter:
Identity Provider Name: (e.g., Entra ID)
Login URL: (from Entra SAML configuration)
Logout URL: (from Entra SAML configuration)
Domain: (your corporate domain)
Certificate: (paste the Base64 content copied earlier)
Save your settings.
Fugo will now display the correct Redirect URL (ACS) and Entity ID.
Update SAML settings in Entra ID
Return to Basic SAML Configuration in Entra ID.
Replace the dummy Entity ID and Reply URL (ACS) with the actual values from Fugo.
Save your changes.
Testing SSO
Sign out of Fugo.
On the login page, choose Sign in with Single Sign-On.
Enter your Entra ID email address.
Complete the Entra ID authentication.
When prompted, link your Fugo account if required.
Assigning Fugo roles & space memberships from your IdP
Once users are logging in, these claims help Fugo know who belongs where and what they can do. A couple of details to watch for:
The fugo_role claim must match a role name in your Fugo account. If not found, the user is assigned the default role (typically “admin”, but this can be changed).
The fugo_space claim must correspond to an existing Fugo space; otherwise, the user is added to the root space.
Troubleshooting & support
If things don’t go quite as planned, don't fret. Here are a few quick checks to get you back on track.
If you encounter issues, double-check the ACS and Entity ID values in both Fugo and Entra ID.
Ensure the certificate is correctly formatted.
For hybrid setups, verify that directory synchronization is healthy and that users have been assigned the Fugo SSO app.
If you need more help, reach out to our team at support@fugo.ai or write to us in the handy in-app support chat!