Skip to main content
All CollectionsEnterprise org administration
Set up SAML SSO & SCIM with Microsoft Entra ID
Set up SAML SSO & SCIM with Microsoft Entra ID

For Enterprise org admins: Learn how to set up both SAML SSO and SCIM if you use Microsoft Entra ID (formerly Azure AD)

Updated over a month ago

SAML SSO and SCIM are available for organizations on Coda's Enterprise plan. This article is intended for org admins who use Microsoft Entra ID (formerly known as Azure AD) as their Identify Provider. Below we will walk through the specific steps necessary to set up both SSO and SCIM in Coda. If you use a different Identity Provider, please check out this article instead.

ℹ️ Please note that SSO and SCIM are only available to customers on Coda’s Enterprise plan.

Within this article you’ll find...

Supported features

SAML and SCIM allow org admins to authenticate and provision users in their organization. Within Coda, the following SAML and SCIM features are supported for Microsoft Entra ID:

SAML

  • IdP-initiated SSO

  • SP-initiated SSO

  • Just-In-Time provisioning

SCIM

  • Create users

  • Update user attributes

  • Deactivate users

  • Create groups

For additional details, you can also refer to Entra ID's documentation here. Note that the gallery app is outdated.

Configure SAML SSO

Please note that the following instructions are specific to Microsoft Entra ID (formerly Azure AD). If you use a different identity provider, refer to this article instead.

Part 1: Create a custom Coda app

To configure the integration of Coda into Microsoft Entra ID, you need to create a custom Coda app. Do NOT use the existing Coda app in the Entra ID Gallery, as it does not support the latest updates to share with groups at this time.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Navigate to Identity > Applications > Enterprise applications > New application.

  3. Create a custom app to connect to Coda.

Part 2: Enable SSO in Coda

  1. Go to coda.io/docs

  2. At the top of the left panel, select Admin settings

  3. Search for - or scroll to - the Authentication methods tab.

  4. Scroll down to the Authenticate with SSO (SAML) option, and toggle this on. Then click Configure SAML.

  5. Click into the SAML provider dropdown, and choose Microsoft Entra ID (Azure AD) from the list of options.

  6. In the For Microsoft Entra ID (Azure AD) section on the left, click the Download button next to the SAML metadata URL field. You will upload this file into Entra in subsequent steps.

Part 3: Configure SSO in Entra ID

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > Coda > Single sign-on.

  3. On the Select a single sign-on method page, select SAML.

  4. On the Set up single sign-on with SAML page, click on Upload metadata file (towards the top of the page).

  5. Click on the folder logo and select the file you downloaded in the previous portion and click Upload.

    configure saml sso in Entra _ Azure.gif

  6. After the metadata file is successfully uploaded, the Identifier and Reply URL values will autofill in Basic SAML Configuration section.

  7. Finally, scroll down to the SAML Certificates section, and click the copy button next to the App Federation Metadata Url.

Frame 1 (19).png

Part 4: Finish SSO configuration in Coda

Return to the Coda SAML setup page for the following steps.

  1. In the From Microsoft Entra ID (Azure AD) section (on the right), paste the App Federation Metadata Url value you copied earlier into the App Federation Metadata URL field. Click the Import button.

    1. Sign on URL, Issuer, and Signing certificate will auto-fill. Make any manual edits if needed.

  2. Select Save.

This completes the work necessary for the SAML SSO connection setup 🎉

Optional step: Test your SSO configuration

In this section, you can test your Microsoft Entra ID single sign-on configuration with following options.

  • Click on Test this application, and you should be automatically signed in to the Coda for which you set up the SSO.

  • You can use Microsoft My Apps. When you click the Coda tile in the My Apps, you should be automatically signed in to the Coda for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Manage SSO for multiple workspaces

If you have multiple Coda workspaces within your Enterprise org and want to use SSO, you may be wondering how the right users are assigned to the right workspace. That’s where SAML assertions comes in.

To get started with SAML assertions for multiple workspaces, you’ll first need to contact your account team (or reach out to us via this form) to enable the feature.

Once SAML assertions has been enabled, you will need map users to the correct Coda workspaces within your Microsoft Entra ID account. This can be done in the this can be done within the Coda application, in the Single sign-on tab, under the Attributes & Claims section. Refer to this link for more details. The mapping should match the following format:

    "attributes": { 
... 
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"ws-Abcd1234",
"ws-Abcd5678" 
],
... 
"coda/workspaces": [ 
"ws-Abcd1234", 
"ws-Abcd5678" 
]

Finally, you can complete the setup in your Coda admin settings, under the Workspace assignment tab. Scroll to the Workspace membership assignment setting, and select the Manage via SAML assertions option.

Configure SCIM

Please note that the following instructions are specific to Microsoft Entra ID (formerly Azure AD). If you use a different identity provider, refer to this article instead.

Part 1: Enable SCIM in Coda

The first step is to enable SCIM within your Coda admin settings. Note that you must be an Enterprise org admin to follow these steps:

  1. Go to coda.io/docs

  2. In the upper left, click on Admin settings

  3. Scroll to - or search for - the Provisioning tab.

  4. Ensure Provision with SCIM is enabled.

  5. Click Generate New Token. (Note: Only one SCIM token is valid at a time. If SCIM was previously configured, generating a new token invalidates the previous token.)

  6. Note the SCIM Base URL and SCIM Bearer Token. You will need this information later.

Part 2: Configure SCIM in Entra ID

Next, you’ll need to configure SCIM within Entra ID:

  1. In Entra ID, click on the Provisioning tab in your Coda integration app.

  2. Click Get started.

  3. Set Provisioning mode to Automatic

  4. Expand the Admin credentials section

  5. Paste the SCIM Base URL from Coda (see the steps in the section above) into the Tenant URL field.

  6. Paste the SCIM Bearer Token from Coda into the Secret Token field.

  7. Click Test Connection to verify you have correctly completed these steps.

  8. Once you’ve tested the connection, click Save.

  9. Finally, click Start provisioning (towards the top of the page) to enable provisioning.

configure SCIM in Microsoft.gif

FAQs

I accidentally added the existing Coda Gallery app instead of creating a new custom Coda app. What do I do?

The Gallery app for Coda does not support the latest updates to share with groups at this time, so you will have to transition from using the Coda Gallery app to a custom app if you'd like to grant your organization the ability to share docs and folders to groups.

  1. From the Provisioning tab in your existing gallery app, disable provisioning (via the Stop provisioning setting)

  2. Then create a new application in Azure under Enterprise applications.

  3. Then press Create your own application to create a custom app to connect to Coda. Do not use the Gallery app for Coda as it does not support the latest updates to share with groups at this time.

Frame 1 (8).png

You’ve successfully transitioned to a custom app!

Related resources

Did this answer your question?