Configuring Microsoft Entra ID for Single Sign-On for the Cost and Compliance Module
Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Entra ID (formerly Azure Active Directory) is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.
This guidance assumes you're subscribed only to the Cost & Compliance module of Stax. If your AWS accounts are Stax-managed and you are seeing this message, please see here.
Before You Begin
- Estimated time to complete: 1 hour
- Ensure you are a member of the Admin role in Stax
- You need to be a member of the Global Admins role in Entra ID, or be delegated equivalent access to Enterprise Applications by an administrator
Request the SSO Configuration details from Support
Before you can start setting up Entra ID, you'll need some details that Stax's Customer Support team can provide you. Get in touch and request the SSO URLs for your tenancy. you'll be provided:
- The callback URL - used for setting Stax up in Entra ID and telling it where to send the response. As an example here, we’ll use https://app.stax.io/auth/azure_ad/my-token-here/callback
- The trigger / initiation URL - As an example here, we’ll use https://app.stax.io/auth/azure_ad/my-token-here
Configure Entra ID
Open the Entra ID console and follow the steps:
- From the header, search for App registrations
- Click New registration
- For name, enter Stax
- For Supported account types, ensure Accounts in this organizational directory only is selected
- Choose Client Application for the Platform configuration
- Press Register to create the application
- Press Add a platform to add a new platform
- Choose Web for the type of the application
- In the redirect field above, provide your callback URL the Support team gave you, e.g. https://app.stax.io/auth/azure_ad/my-token-here/callback
- Press Configure
- On the left, press Certificates & Secrets
- Choose New client secret
- Give the secret a description of Stax SSO, and choose Never for expires
- Record the value of the newly-added Client Secret Go back to overview, and record the value of Application (client) ID
Provide the details to Support
Provide support with the Application (client) ID and Client Secret you captured earlier. Additionally, provide your Entra ID tenant ID. The Customer Support team will then configure SSO for your Stax tenancy and inform you once it's been completed.
From then on, you can either directly navigate to your Trigger URL to log in, or alternatively, provide support with an email domain, to automatically trigger all authentication requests for that domain to log in via your SSO provider.