Configure Azure SSO, now known as Microsoft Entra ID, as a custom SAML application for limited automatic provisioning with ClickUp!
Microsoft Entra ID has limited automatic provisioning including user creation and removal. Roles, Custom Roles, and Teams cannot be assigned. You can set a default role, but you can't set roles per-user.
What you'll need
-
Before you can set up provisioning, you need to have Microsoft Entra ID enabled for your Workspace.
- Microsoft Entra ID is only available to Workspaces on the Enterprise Plan.
- Only Workspace owners and admins can enable Azure SSO.
- Only Microsoft Entra ID admins can configure Microsoft Entra ID SCIM.
Step 1: Set up Microsoft Entra ID custom SAML application
To set up the custom SAML application:
- Create a new custom SAML application in Microsoft Entra ID.
This is not the official ClickUp Microsoft Entra ID Gallery application titled ClickUp Productivity Platform.
- In ClickUp, click your Workspace avatar and select Settings.
- In the Sidebar, click Security & Permissions.
- In the Single sign-on (SSO) section, select SAML.
- For a new Microsoft Entra ID app, copy the SP Entity ID from ClickUp.
- Paste the SP Entity ID from ClickUp into the Identifier (Entity ID) field in Microsoft Entra ID.
- Copy the Single sign-on URL (ACS URL) from ClickUp and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
- Click Save in Microsoft Entra ID.
Step 2: Link SSO in ClickUp
Now that the application is set up, you can complete the SSO connection in ClickUp:
- Ensure the person setting up the SSO integration is assigned in the Microsoft Entra ID app. Others can be added later.
- Copy the Login URL and the IDP Public Certificate from Microsoft Entra ID.
- Paste these values in plaintext to the corresponding empty ClickUp fields when selecting the SAML connector.
- To get the certificate in plaintext, download and right-click the file to open it with a text editor of your choice. The text begins with -----BEGIN CERTIFICATE-----. Paste the entire text value without any edits into the IDP Public Certificate field.
- To get the certificate in plaintext, download and right-click the file to open it with a text editor of your choice. The text begins with -----BEGIN CERTIFICATE-----. Paste the entire text value without any edits into the IDP Public Certificate field.
-
Select Save metadata.
- You'll be prompted to complete the link by logging in with SSO. If successful, you'll be redirected to ClickUp.
- On the Security & Permissions page in ClickUp, you'll see three new options:
- SCIM Base URL
- SCIM API Token
- Login policy
Step 3: Set up automatic provisioning with ClickUp
With SSO linked, you can now set up automatic provisioning:
- In Microsoft Entra ID, open the Provisioning tab and change the dropdown from Manual to Automatic. This will cause the Admin Credentials window to appear in the Provisioning tab.
- Input the SCIM Base URL from your ClickUp Security & Permissions page into the Tenant URL field.
- Input the SCIM API Token from your ClickUp Security & Permissions page into the Secret Token field.
- Click Test Connection.
- Once the test is successful, SCIM is now set up in your Workspace. Users can sign in to ClickUp using Microsoft Entra ID.
People assigned to the application can be added immediately using the Provision on demand tab in Microsoft Entra ID, or you can wait until it is done automatically.
Automatic provisioning runs on a timed cycle controlled by Microsoft Entra ID, and users assigned to the application will only be added when the next automatic provisioning cycle runs.
Custom Role attributes
The following Custom Role attributes are available:
Model | Custom Role Attributes |
Base |
• id • userName • Name: {givenName and familyName} • active • emails • Array of emails with value property and primary (boolean) property • title • manager |
Extension |
• role • clickupRole • customRoleId • customRoleName |
Enterprise |
• manager |