SSO Integration with Microsoft Entra: Unexpected Login ID Appears in Creatio
Hi
I have successfully completed the SSO integration between Creatio and Microsoft Entra. While the authentication flow is working correctly, I have noticed an issue with the user account that gets logged into Creatio.
As part of the integration, I created a test user (b.simon@mydomain.com) in Microsoft Entra and set up the same user in Creatio with matching credentials, as one of the setup documents suggested (though I’m unsure why this step is necessary with SSO).
But instead of the actual user credentials from Entra (e.g., b.simon@mydomain.com), the system logs in with a random-looking ID such as 8ZnJDRhO1KZ-skvqOA_0fw7AxMS0J2kib8CPqOl5EbA, and the "User Name" field in Creatio remains empty.
Has anyone encountered this behavior before? Is there a configuration I am missing in the SSO setup or mapping that needs to be corrected so that Creatio recognizes the correct user principal name (UPN) from Entra?
Any guidance would be appreciated!
Thanks in advance,
Ajay
Like
Hi,
During SSO communication, for mapping users between Creatio and the Identity Provider (in this case, Entra), we use the Name ID claim from Entra and the username field in Creatio. The Name ID claim can be set to pass any attribute from Entra — by default, it is the email, but this can be customized. (On the Creatio side, user identification is always based on the username, and this cannot be changed.)
If JIT (Just-In-Time) provisioning is enabled (which I suspect, since otherwise login would not occur when the user is missing in Creatio), a new user will be created automatically, and the username will be set to the value of the Name ID claim.
Based on your description, it looks like you are passing something other than the email in the Name ID claim. I recommend ensuring that the correct value (e.g., the user’s email) is being passed as the Name ID.
This value will then be used to map with the username in Creatio.
Alternatively, if JIT is disabled, you need to create the user in advance in Creatio with the username b.simon@mydomain.com, and only then test the login.
Also, make sure the user being created or used is of the Internal user type. For External users, the username field is not available — this could be the case.
Additionally, for internal debugging, you can use the following Chrome extension:
🔗 SAML Tracer
It allows you to inspect the request and response bodies and see which claims are being received from the Identity Provider.
If you have any further questions, we recommend reaching out to our support team at support@creatio.com.