Vectis
All guides

SSO with Microsoft Entra ID

Wire Entra ID (formerly Azure AD) to Vectis. OIDC is the modern path and covers most MSPs; SAML is available for orgs that standardize on it.

What you’ll need

  • Entra ID admin role with Application Administrator or Cloud Application Administrator on your tenant
  • Vectis admin access
  • Your Entra tenant ID (GUID, visible on the Overview blade)

Option A – OIDC (recommended)

  1. In the Entra admin center, go to Applications → App registrations → New registration.
  2. Name it Vectis. Set Supported account types to Accounts in this organizational directory only (Single tenant).
  3. Under Redirect URI, pick Web and paste the OIDC redirect URI from the Vectis SSO page: https://your-workspace.mspvectis.com/api/auth/callback/sso-oidc.
  4. After registration, copy the Application (client) ID and Directory (tenant) ID.
  5. Go to Certificates & secrets → Client secrets → New client secret. Pick an expiry window (24 months is typical). Copy the Value immediately — it’s never shown again.
  6. Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions and add openid, profile, and email. Grant admin consent.
  7. In Vectis Admin → SSO, pick OIDC. Enter the client ID and client secret. For Issuer URL, use https://login.microsoftonline.com/<tenant-id>/v2.0. Endpoint overrides can stay blank — auto-discovery picks them up.
  8. Add your org’s email domain (e.g. contoso.onmicrosoft.com or the vanity domain) to Allowed Email Domains. Save. Test the login in a private window.

Option B – SAML 2.0

  1. In Entra, go to Enterprise applications → New application → Create your own application. Name it Vectis and pick Integrate any other application you don’t find in the gallery.
  2. Open Single sign-on → SAML. In the Basic SAML Configuration card, set Identifier (Entity ID) to the Vectis SAML ACS URL (/api/auth/sso/saml/callback) and Reply URL to the same URL.
  3. In Attributes & Claims, keep the default Unique User Identifier claim as email (user.mail or user.userprincipalname). Add email and displayName claims if they’re missing.
  4. In SAML Signing Certificate, download Certificate (Base64) and copy the Login URL.
  5. In Vectis Admin → SSO, pick SAML. Paste the Login URL into SSO Entry Point URL, then paste the entire cert body (including BEGIN/END lines) into IdP Certificate. Save.
Entra’s conditional access policies (MFA, device compliance, geo-restrictions) apply to the Vectis app registration the moment it’s there. That’s why SSO-authenticated Vectis users skip Vectis’s own TOTP — Entra is enforcing MFA upstream.

Troubleshooting

  • AADSTS50011 redirect mismatch — the redirect URI in Entra doesn’t exactly match what Vectis is sending. URLs are case-sensitive and trailing-slash sensitive.
  • Secret expired — Entra client secrets expire. When they do, all SSO logins fail with a generic OIDC error. Rotate in Entra, paste the new value into Vectis, save. Vectis audit-logs every secret rotation.
  • Guest users — B2B guests in your tenant have an #EXT#-suffixed UPN that doesn’t match your allowed domain. Either add their home domain to the allowlist or rely on user.mail (their real email) for the claim.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

SSO with Microsoft Entra ID | Vectis