Microsoft Entra ID

DocuWare supports Microsoft Entra ID (formerly: Azure Active Directory) as an identity provider for single sign-on. Here's how to connect DocuWare to Microsoft Entra ID.

1. In DocuWare Configuration, under Security activate the option Enable single sign-on.
   
   

2. Add a new app registry in Microsoft Entra ID.
   

3. Add a new redirect URI for the newly created app registration.
   

4. Copy the Callback URL from DocuWare Configuration under Organization settings > Security > Connection into the URI (Web) field and and activate the option ID tokens.
   
   
   
   

5. Copy the Application (client) ID in the overview of the app registration, and under Endpoints copy the URL to the OpenID Connect metadata document and add these in DocuWare under Security > Configure single sign-on connection > For Client ID or Issuer URL.
   
   

6. After saving the settings, users have the option of logging on with a DocuWare user name and password, as well as single sign-on via Microsoft.

Regarding the option "Automatically link existing users at login":

If this option is activated, the first time a user logs in with single sign-on, DocuWare will search for a suitable existing DocuWare user with the appropriate user name and email address.

• The same username and email address must be stored in Microsoft Entra ID and in DocuWare.

• The DocuWare user name must correspond to the local part (first part up to @) of the email address of the user in Microsoft Entra ID.

The Microsoft Entra ID user account and the DocuWare user account will only be linked if the user name AND email address match.

Example:

• Entra ID user principal name: peggy.jenkins@peters-engineering.net

• DocuWare username: peggy.jenkins

• DocuWare email address: peggy.jenkins@peters-engineering.net

It is not mandatory for DocuWare users to be created via the User Synchronization app in order to use single sign-on. Even if you create new users manually or import them via an interface, the external user account and the DocuWare account are automatically compared. As soon as a user has been assigned, the user is recognized from this point on based on their external object ID. This means that even if the email address and/or the user name no longer match, the user is still recognized.