Watch Webinar: Figma - Design to Code in 80% Less Time

Announcing Visual Copilot - Figma to production in half the time

Builder.io logo
Talk to Us
Platform
Developers
Talk to Us

Blog

Home

Resources

Blog

Forum

Github

Login

Signup

×

Visual CMS

Drag-and-drop visual editor and headless CMS for any tech stack

Theme Studio for Shopify

Build and optimize your Shopify-hosted storefront, no coding required

Resources

Blog

Get StartedLogin

enterprise plans

There are two main steps to setting up SSO with Builder and Microsoft Entra ID:

  1. Configuring Entra by creating an application integration.
  2. Configuring Builder by adding an Entra SAML Config.

Tip: Microsoft recently renamed Azure AD to Microsoft Entra ID. As of autumn 2023, some of the features related to Entra ID are still named Azure.

  1. Go to the Microsoft Entra (formerly Azure) Portal.
  2. In your account, select Enterprise Applications.
  3. Click New Application.
  4. Click Create your own application. A dialogue opens where you can enter the name of your application. Keep the default selected option Integrate any other application you don’t find in the gallery (Non-gallery) as below:
Screenshot of the Entra Create your own application dialogue.

After you create your application:

  1. Go to Single sign-on and select SAML as the single sign-on method.
  2. Edit the Basic SAML Configuration by setting these values:
Screenshot of Basic SAML Configuration dialogue in Entra.

After you save, the Basic SAML Configuration should include: 

  • Identifier (Entity ID): https://builder.io
  • Reply URL: https://builder.io/__/auth/handler
  • Sign on URL: https://builder.io/login/saml/builder-sso-saml
  • Relay State: Optional
  • LogoutURL: Optional

The screenshot below shows these values in context:

Screenshot of Basic SAML Configuration settings in Azure.

Next, download the certificate from SAML Certificates as below:

Screenshot of SAML Certificates in Azure. items include the Status, thumbprint, Expiration, Notification Email, App Federation Metadata URL. After these are three links for downloading the Certificates. After the download links is a section entitled "Verification certificates (optional)" where Required is set to No and Active and Expired are both set to zero.

With SSO enabled on your Builder account and an app, you can add your SSO details:

  1. Go back to your Builder Organization page.
  2. Click on Single Sign-on.
  3. From your Entra Application single sign-on configuration, enter the SAML information from your Entra account (Login URL, Azure AD Identifier, Logout URL, and the certificate).
  4. When choosing an SSO Name, be aware that this is a unique name across all Organizations in Builder, and it will be used to access your unique SSO login page; for example, https://builder.io/login/company-name. Choose something that is easy to bookmark or remember for you and your colleagues.
Screenshot of info to get from Azure that you'll need to provide in the Builder config.

The video below, by one of our excellent engineers, goes through the process of setting up SSO with Entra (formerly Azure) and Builder, from beginning to end. (It wasn't initially made for the docs, but it is so perfect that we just had to add it!)

By default, usernames are not mapped between Builder and identity providers. However, administrators can establish this connection by mapping a specific name field from the identity provider to the name attribute in Builder's profile settings. This configuration ensures that the username is properly set upon user login with SSO.

To map usernames between Builder and Microsoft Entra, you'll need to go to Entra to update your profile mappings.

OpenID Connect (OIDC) builds on OAuth 2.0 so applications can authenticate users and retrieve their basic information in a standardized way. OAuth 2.0 supports different authorization strategies, including:

  • Implicit flow: for browser-based apps. It is less favored as it can expose tokens to the browser.
  • Authorization Code Flow: is preferred for its security, suitable for apps that can manage a Client Secret without exposing it, as it conducts token exchanges away from the user's browser. The Client Secret acts as a password between the app and the authorization server to safely exchange an authorization code for an access token.

When setting up OIDC for SSO in Builder.io, you have the option to include a client secret in your Builder SSO configuration, which indicates that you want to use the code flow. If you don't include a client secret, Builder defaults to using the implicit flow.

To add your IdP's Client Secret to your Builder SSO configuration:

  1. In Microsoft Entra: Get your Client Secret from Microsoft Entra. Refer to their docs for adding a Client Secret.
  2. In Builder: Go to Builder's Organization Settings.
  3. Click the Edit button for Single Sign-On. Note that you must have SSO enabled for your Organization before this option is available in your Organization Settings.
  4. For the SSO Method, make sure you've selected OpenID Connect.
  5. Paste the Client Secret in the Client Secret field.
  6. Click the Save button.
Screenshot of the SSO dialogue in Builder with a circle around the IdP Client Secret field. It is the fifth field in the dialogue and displays when the selected SSO Method is OpenID Connect.

Due to recent browser updates, if you previously used the Firebase URL, you must update your authentication domain for SSO to ensure compatibility and security.

To accommodate these changes while maintaining existing SSO configurations:

  1. Update the ACS URL: Replace the previous redirect URL of https://builder-3b0a2.firebaseapp.com/__/auth/handler with the new domain https://builder.io/__/auth/handler. This applies to both SAML and OIDC configurations and must be updated in the Identity Provider (IdP) settings.
  2. Update the login URL: Append the query parameter authDomain=new to the login URL. For example, a bookmarked login URL would be formatted as https://builder.io/login/saml/builder?authDomain=new. Including this parameter ensures compatibility with the new custom domain. Omitting it may lead to incompatibility issues, affecting SSO functionality with recent versions of browsers such as Firefox and Safari.

For IdP-initiated logins, the login URL provided by the IdP must also include the authDomain=new parameter for seamless integration.

Was this article helpful?

Product

Visual CMS

Theme Studio for Shopify

Sign up

Login

Featured Integrations

React

Angular

Next.js

Gatsby

Get In Touch

Chat With Us

Twitter

Linkedin

Careers

© 2020 Builder.io, Inc.

Security

Privacy Policy

Terms of Service

Newsletter

Get the latest from Builder.io

By submitting, you agree to our Privacy Policy