How to configure SSO for Microsoft Entra (Azure AD).
If your organization uses Entra ID (formerly Microsoft Azure AD) for single sign-on, you can manage access to Veza through a pre-built integration available in the Microsoft Entra application gallery.
After configuring the Veza gallery app, you can assign users and groups, and use Entra ID to manage their teams and roles within Veza.
A Microsoft Entra subscription
Permission to create enterprise applications in Entra (such as the Application Administrator role)
Administrator access to Veza to retrieve the SAML configuration values.
To enable role mappings for Entra ID groups, Team and Role Mapping (Early Access) must be enabled for your Veza platform.
Configure role mappings in Veza to assign teams and roles based on metadata in the SAML claim when users log in.
Edit the Veza gallery application to add a group claim.
Choose to return Groups assigned to the application with source attribute "Group ID."
In Entra, view Users and groups to list the groups assigned to the Veza application:
For each group, view the group in Entra and copy its object ID to use in Veza:
In Veza, edit the SAML configuration to add a mapping for each group:
Attribute: For Entra ID, set this to http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
Team Role Mapping: Enable to map Entra ID groups to Veza teams and roles.
Mapping: For Entra ID, the group Object ID to map to the role/team.
Role / Team: The root team role or team-role assignment mapped to a group ID.
We recommend avoid using sending us All Groups.
Entra has upper limits on the number of groups that can be sent in a SAML token. If you have a large number of groups, you will need to filter the groups sent to Veza.
Important: The role mapping must use the group's ObjectID attribute (not a friendly name or sAMAAccountName). To retrieve this value for role mapping configurations:
Open an individual group to view details:
Or check the IDs on the Groups > All Groups page:
To install Veza as an official gallery application, follow the instructions provided in the .
To enable group claims for the Veza SAML app, follow the instructions in . You will need to:
See for more details.
Enabling Multi-factor Authentication and Single Sign-On for Veza
Veza supports SAML, the XML-based standard for single-sign-on. When enabled, users can log in to Veza using a third-party Identity Provider, such as OneLogin, Okta, Azure AD, or a custom provider.
After registering Veza as a SAML service provider (SP) with your IdP and configuring the connection from Administration > Sign-in Settings, you can assign access to Veza directly from the IdP. The login page will offer the option to "Login with SSO" and redirect users to your IdP for authentication.
SSO flows can be:
Service Provider-initiated: Users log in at the Veza home page (yourorg.vezacloud.com)
Identity Provider-Initiated: Users log in to Veza via their IDP app dashboard (such as your organization's Okta Portal)
You can download service provider (SP) metadata from Veza to reference when configuring the connection in your Identity Provider. When configuring your IdP, you should retrieve an X.509 certificate and the Single Sign-On URL, which Veza will need to enable SSO.
The following order of operations is recommended:
Connect to your identity provider to get the required IdP SAML metadata. You will need the X.509 certificate, Sign-In URL, and SAML request protocol binding. You will also need the signing request algorithm and digest, unless your IdP doesn't support signed requests.
Log in to Veza using your administrator username and password. Navigate to Administration > Sign-in Settings, and choose to enable SAML. Click "Configure."
Complete the required fields, save the configuration, and download the service provider (SP) metadata.
Log in to your Identity Provider (IdP), and use the SP metadata from Veza to register a new SAML service provider.
Enable the SSO connection from Veza Administration > Sign-in Settings panel
See Veza Configuration and Identity Provider Configuration below for details on the information you will need to provide at each step.
1. Create a new SAML connection
You can download SP metadata from Veza, which contains information you'll need to set up SSO within your IdP. First, you'll need to save a new SAML configuration from Administration > Sign-in Settings. You will need to provide the following information:
IdP Sign-in URL
Provide the IdP sign-in URL used to access your company portal.
X509 Signing Certificate
`Upload the SAML public certificate (X.509) used to verify the IdP (Base64 Encoded String).
Sign Request Algorithm
The signature algorithm used to sign SAML AuthnRequest messages sent to the Identity Provider. Valid values are: rsa-sha256.
Sign Request Algorithm Digest
The digest algorithm used to digitally sign the SAML assertion and response. Valid values are: sha256.
SAML Request protocol binding: (HTTP-POST or HTTP-Redirect)
Select the binding to be used by the IdP when sending the SAML Response XML, literally: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" (default) or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".
Enable IdP Initiated Login
Allows IDP-initiated sign-in requests
Button Logo URL
Custom logo displayed on the “Continue with SAML SSO” button on Veza's login screen. The image must be in PNG or SVG format. It should be 32×32 pixel for optimal display.
Issuer ID
The URL that uniquely identifies your identity provider in the SAML assertion, e.g., http://www.okta.com/ackfl76549mHKsk9q5d7 (Okta), https://sts.windows.net/00000000-0000-0000-0000-000000000000 (Entra)
2. Enable Identity Provider-initiated Single Sign On (optional)
When enabled, authorized IdP users accessing Veza via the IdP app portal will be logged in automatically.
3. Download the service provider metadata
Once you have saved the SSO configuration, you can download the service provider metadata for Veza in SAML format. This information can be imported into most identity providers or used for reference if you need to input the values manually.
4. Enable or Disable an SSO connection
Enable the SAML connection from the Authentication panel after registering Veza with your Identity Provider (see below). Once enabled, visitors to your Veza instance can log in with a username/password or authenticate via the IdP sign-in URL.
If you want to enable Single Logout, you should do so after creating the connection in Veza, and obtaining the SLO Url, SP Issuer (SP Entity ID), and the SP Certificate from Veza's SP metadata.
After configuring a SAML identity provider, you can manage Veza users from your Identity Provider by assigning an IdP user or group to the Veza application. The first time a user logs in to Veza with SSO, a local Veza user account is created and shown on the Administration > User Management page.
Notes:
IdP user passwords cannot be changed from the Veza UI
No account creation email will be sent until the user first logs in. You may want to inform users that they can now access Veza using their IdP credentials.
You should retain a Veza admin account configured for password authentication to use if the SSO connection is disrupted.
When configuring SAML, you can map user attributes from your IdP to Veza. The following attributes are supported:
Role mapping allows you to assign teams and roles based on a user's groups during login.
For a step-by-step guide to configure SAML for Okta, which may be adapted for other providers, please see . Instructions are also available for .
For advanced user lifecycle management, Veza supports in addition to SAML. When SCIM provisioning is enabled, it becomes the authoritative source for user profile updates, and SAML Just-in-Time (JIT) provisioning is automatically disabled to prevent conflicts.
The exact steps to vary depending on your IdP. Typically, you will need to register a new application or service provider and specify the Single Sign-On URL assigned for your Veza instance (responsible for handling SAML assertions).
For additional resources on adding a new SAML provider with common IdPs, you can refer to the standard documentation for , , and .
See for details on how to configure attribute mapping for SSO users.
See for details on how to configure teams and roles for SSO users.
Map Okta Groups to Veza roles to enable user management based on Okta group assignments.
Veza can interpret an incoming SAML claim from an identity provider (IdP) to assign federated users to teams and roles based on group assignments in your IdP. If you do not want to create groups in your IdP with the exact naming syntax required by Veza, this document will help you map any group to the expected SAML Attribute Statements.
To enable SAML role assignments when users log in, an administrator will need to do one of the following:
In Okta, add a custom attribute for Veza app users that will contain their Veza role. Configure the application to include the custom attribute in a SAML groups attribute statement. Then, assign groups to the Veza application and specify the group role in the format {Team SSO Alias}:{role name}.
The instructions in this guide are for the second approach. Use them to map an Okta group (such as a "Veza Administrators" group) to a SAML Attribute Statement Value of Root:admin. Users in this group can log in to Veza with the admin role, without additional configuration of custom role mappings in Veza.
Go to Okta Directory > Profile Editor. Click on the Veza integration app user to edit it and click Add Attribute.
Data Type: String Array
Display Name: Veza Role
Variable Name: role
Description: Role for users in Veza
Attribute Type: Group
Group Priority: Combine values across groups (this is important for users with more than one role. Okta will send all Role Names to Veza rather than only the role mapped to the highest-priority group)
Go to Okta Applications > Applications and click the Veza app integration to view details.
In the General tab, scroll down to SAML Settings, and click Edit.
In the Configure SAML tab, find the "Attribute Statements (optional)" section
Save the changes.
Click Assign > Assign to groups and search for the group that will correspond to a Veza role (such as "Veza Administrators").
Okta users in the chosen group are now assigned to the application with the Role (role) attribute value of Root:admin (or whatever you put in step 2):
In Veza, configure to map groups in the incoming SAML claim to Veza roles. Configure the Okta to include a custom attribute that will contain the groups users belong to. See to configure a group attribute statement on the Veza app integration.
Add the attribute statement:
Name: groups
Name format: Unspecified
Value: appuser.role (assuming the AppUser variable name is role)
By default, the SAML Attribute Statement on the Veza SAML App must be named groups. If you must use a name other than groups, you must specify the custom attribute name in the Veza SSO configuration.
Click Assign and specify the Role attribute with the desired role.
The value of the Attribute Statement should be {SSO Alias}:{role name}
Adding an Okta SAML integration for Single-Sign On
This guide will help you add an Okta app integration to enable single sign-on (SSO) for Veza, and manage teams and roles within your identity provider.
To enable SSO, you will need access to the Okta admin portal and have the administrator role in Veza.
Log in to your Okta administration portal (for example, https://oktadomain-admin.okta.com).
Open Applications > Applications and click Create App Integration.
Enable SAML 2.0 for the protocol and click Next:
Give the app a name and click Next:
To configure an Okta app you will need the Veza Single Sign On URL and Audience URI (SP Entity ID).
You can retrieve these by navigating to Veza Administration > Sign-in Settings, clicking Configure to enable SSO, and copying the values at the top of the wizard.
SSO URL: The Veza Single Sign on URL (ACS), e.g. https://your-org.vezacloud.com/auth/saml/acs. This is the Location= value in the downloaded SP Metadata.
SP Entity ID: The Veza Audience URI (Entity ID), for example https://your-org.vezacloud.com/auth/saml/metadata. This is the entityID= value in the downloaded SP Metadata URL.
In the App SAML Settings section, enter the Veza SSO URL and SP Entity ID.
For Name ID format, pick EmailAddress
For Application Username, pick "Okta Username"
Click Next to finish setting up the application. On the final step, click Okta customer and This is an internal app. Click Finish.
After creating the application, you need to configure additional settings on the General tab:
Return to the app's configuration page and select the General tab
Click Edit if the settings are not already in edit mode
Find the Default RelayState field in the application settings
Enter a value of / (a single forward slash) to redirect users to the Veza homepage
Click Save
Important: The Default RelayState parameter is required for IdP-initiated SSO to function correctly. Without this setting, users clicking the Veza tile in the Okta dashboard may encounter errors or failed redirects, even if all other configuration is correct.
On the next screen, click View Setup Instructions:
Copy the “Identity Provider Single Sign-On URL” and "Identity Provider Issuer" values, and download the certificate “X.509 Certificate” which you will need when configuring Veza:
Veza can use group information from Okta to assign teams and roles when users first log in. Teams are assigned based on mappings in Sign-in Settings. To enable this, you can configure the Okta app to transmit a list of Okta groups the application user belongs to.
Click Show Advanced Settings for the Okta app.
Scroll to Group Attribute Statements (optional).
Enter the attribute name for group values.
Use Filter settings to specify Okta groups to include in the SAML claim.
Next, map these groups to teams and roles in Veza:
Go to Veza Sign-in Settings > SSO > Configure SAML.
Scroll down to the Role Mapping section.
For SAML Attribute, enter groups.
Click "Add" to create a mapping.
Type in the name of the Okta group. Use the dropdown menus to pick a team and role to assign.
Optionally, assign more team and role pairs for the group by clicking the "+" icon in the Actions column.
Repeat this process to add a mapping for each Okta group that will have a team and role in Veza.
Click the toggle to enable SSO under Administration > Sign-in Settings.
Click to configure SSO. Enter the Okta sign-in URL and upload the signing certificate.
Enable RSA-SHA-256 and SHA-256 as the Sign Request Algorithm and Digest. Enable HTTP-POST as the Protocol Binding.
The icon chosen with the Button Logo URL appears on the Veza login page.
Tick the box Enable IDP Initiated login. When enabled, app users can open Veza from their Okta dashboard without logging in. Make sure you've configured the Default RelayState as described in Step 2.
For Issuer ID, use the Identity Provider Issuer value from Okta, e.g. http://www.okta.com/ackfl76549mHKsk9q5d7
Add optional role mappings to assign users to Veza teams and roles based on Okta group assignments.
Click save on the configuration page to return to Sign-in Settings, and toggle the option to enable SSO. Visitors will now have the choice to Continue with SAML SSO, which will redirect to Okta for authentication.
These settings enable Veza to correctly identify and authenticate managers who are to Access Reviews.
Note: If you want to enable , you will need to return to this page and click on Show Advanced Settings after you have saved the configuration in Veza. You will need the populate the SLO URL, the SP Issuer (same as the SP Entity ID), and the SP Certificate, all available in the SP metadata.
