Setting Up SSO with Microsoft Entra ID – Rhombus Support

Topics included in this article:

Recovery Users
Just-In-Time User Creation
Set Up SSO
Common Questions
Helpful Links
Contact Support or Sales

Notes:

An Entra ID (formerly Azure Active Directory) subscription is required for this feature.
Microsoft Documentation: Provision users and groups using SCIM or Configuring SCIM provisioning for Entra ID.
Single Sign-On, or SSO, is a way to sync sign-on across multiple applications, allowing you to log into all applications with one user account and password.
Third-party platform UI is subject to change.

Recovery Users

A Recovery User is a user account in your organization that bypasses SAML once enabled.

Note: We recommend having at least two Super User Accounts as Recovery Users when enabling SSO to ensure you have a method of logging and disabling SSO in the event SAML encounters errors.

Enabling a user account as a Recovery User is performed during the SSO configuration process in the Rhombus console.

1. Log into the Rhombus console, navigate to "Settings," and click "Single Sign-On."

Screenshot 2025-05-08 at 9.27.23 AM.png

2. Under the Single Sign-On dropdown menu, enter your team name and click the toggle beside "Use Single Sign-On for Rhombus Console."

Screenshot 2025-05-08 at 9.40.57 AM.png

3. Click the dropdown menu next to "SSO Recovery Users," select all users you wish to be recovery users, and click "OK." A blue dot will indicate the users who are designated to be a recovery user.

Screenshot 2025-05-08 at 9.33.36 AM.png

Just-In-Time User Creation

When you set up Microsoft Entra ID SSO, you can choose to enable Just-In-Time Creation. This automatically creates user accounts with assigned roles on the Entra ID platform.

Additional setup is required on the Microsoft side, as detailed in the "Configure SCIM 2.0 with Entra ID" article. For Just-In-Time creation, you don't need to activate SCIM for role synchronization, but you do need to follow the setup steps outlined in the article.

Note: You do not need to enable SCIM to follow the steps shown in the article, but without the ability to test with provisioning on demand, you may need to wait 30 minutes or longer for Rhombus and Entra ID to sync up.

Set Up SSO

Rhombus currently has an enterprise application denoted by our logo on the Azure Marketplace.

1. Access the Entra ID Portal, navigate to "Enterprise Applications," and search "Rhombus Systems."

Screenshot 2025-05-20 at 1.31.26 PM.png

2. Click on the Rhombus Systems app, then click "Create."

Screenshot 2023-12-13 at 2.39.56 PM.png

3. In the Rhombus console, navigate to "Settings," "Single Sign-On," and click "Download" next to SP Metadata.

Screen Recording 2025-05-20 at 12.27.35 PM.gif

4. In the Entra ID portal, click the "Single Sign-On" tab, and click "Upload Metadata file."

Screenshot 2025-05-20 at 1.38.27 PM.png

5. Click the file explorer button on the far right to open the Library folder, locate the file, and click "Add" when selected.

Screenshot 2025-05-21 at 12.39.14 PM.png

6. Next, copy the "ACS URL" and "Entity ID" from the SSO page in the Rhombus Console.
Note: Do not include the extra characters after "SSO" in the ACS URL as they are Rhombus-specific and not needed by Entra.

Screenshot 2025-05-22 at 10.40.24 AM.png

7. In the Entra ID portal, click "Edit" beside "Basic SAML Configuration" and paste the copied URL and ID from step 6 in their respective fields. Click "Save" when finished.

Screenshot 2025-05-22 at 11.14.57 AM.png

Screenshot 2025-05-22 at 11.15.48 AM.png

8. Next, download the "Federation MetaData XML" from the Entra ID portal and paste it into the "IDP MetaData XML" field on the SSO page in the Rhombus Console.

Screenshot 2025-05-22 at 11.21.24 AM.png

9. Edit the Metadata XML by adding the NameIDFormat Attribute as shown below:

Add the following line in the XML before the "<IDPSSODescriptor>."

 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

If you are using a SAML 2.0, you may need to add the appropriate "md" prefixes to the XML tags to match the format.

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

Screenshot 2025-05-22 at 11.35.21 AM.png

10. When finished, click "Save" in the upper-right corner of the Rhombus SSO page.

Screenshot 2025-05-22 at 11.37.22 AM.png

11. Now when users try to log in to Rhombus, they will be redirected to log in through Entra ID.

Note: If Just-In-Time is not enabled, each user will need to be created in Rhombus before logging in.

Common Questions

Will users be provisioned when they are added to an ID group if the group is defined?

Users will automatically get provisioned in Rhombus if:
1. SCIM has been configured between the IDP (Entra ID, Okta...) and Rhombus
2. JIT (Just In Time) SAML has been enabled on Rhombus

In either scenario, it is expected that the Users are assigned to Groups on the IDP side (Entra ID, Okta, etc.) with matching Role names on the Rhombus side.

Do users need to be created in both ID and Rhombus for it to work?

This is not required so long as Users have matching IDP Group to Role name association and JIT (Just-In-Time) SAML has been enabled in Rhombus.

What do I need to do on the Rhombus side before the integration?

You will need to create the user Roles in Rhombus. The group or role on the IDP side (Entra ID, Okta, etc.) and the Role name in Rhombus must match. For example, users assigned to matching groups in Entra will be automatically assigned to the matching Role with the matching name.

Helpful Links

Contact Support or Sales

Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.

Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.