SSO with Microsoft Entra ID

With single sign-on (SSO), users can access their company and other business applications through a single login. Centralized login and authentication have several key advantages, including security benefits.

Microsoft Azure AD has been renamed to Microsoft Entra ID. For more information, read about the new name for Azure Active Directory on Microsoft.com.

SSO with Entra ID requires specific configuration settings to work correctly with Sage Intacct.

Subscription Company
Regional availability

All regions

User type Business
Permissions Full

Video: Single sign on with Entra ID

Single Sign On with EntraID (12:02)

Enable SSO in Intacct

You enable SSO with Entra ID for your company and set connection options on the Company information page. Intacct uses these settings to establish a connection between your company and Entra ID. Users will continue to log in using the basic login page until you explicitly set them up for SSO (see Set up individual users in Intacct).

To enable SSO with Entra ID for your company:

  1. Go to Company > Setup > Configuration and select Company. On the Company Information page, select the Security tab and then select Edit.
  2. In the Single sign-on (SSO) section, select the Enable single sign-on checkbox.
  3. Do one of the following for the Identity provider type
    • If you are not using Active Directory Federation Services (ADFS), select SAML 2.0.
    • If you're using AD FS, select SAML 2.0 with ADFS.
  4. In the Issuer URL field, enter your Intacct Company ID.
  5. Enter your Login URL and Certificate.
    6. Field values for the Login URL and Certificate are obtained from your single sign-on identity provider. For more information, see Set up single sign-on (SSO).
  6. Set the Requested authentication content type to exact.
  7. Select Save.

Set up individual users in Intacct

When SSO is enabled for your company, you can individually require users to use SSO when logging in to your company. After you set up a user for SSO, the user will no longer be able to use a password to log in to your company directly. Instead, that user will need to use single sign-on and your SSO identity provider will authenticate them as an authorized user. Any users who are not set up for SSO can continue to log in to your company using the basic login page.

To use SSO, users must log in from a computer that has access to your SSO system. In addition, we currently do not support SSO from mobile devices.

To enable SSO for a user:

  1. Go to Company > Admin > Users. The Users list opens.
  2. Find the required user and select Edit next to their name.
  3. Select the Single sign-on tab.
    This tab appears only if you've already enabled SSO for your company. See Enable SSO in Intacct.
  4. Select the option to Enable single sign-on.
  5. In the Federated SSO user ID field, enter the ID that your SSO identity provider uses to identify this particular user.

The Federated SSO user ID must match the value configured in Microsoft Entra attribute mappings.

When single sign-on is enabled, users must access Sage Intacct from their Microsoft My Apps page rather than using the Use single sign-on link on the Sage Intacct home page.

Entra ID SSO settings

There are settings needed in Entra ID to complete your SSO configuration.

  1. Go to Entra SSO setup > Basic SAML Configuration and select Edit.

  2. In Identifier (Entity ID), enter your Intacct company name.

  3. In Reply URL in Entra, enter the following URL and set it as default:

    https://www.intacct.com/ia/acct/sso_response.phtml

  4. Add a second URL in Reply URL in Entra from one of the following.
    Select the POD-specific URL that's appropriate for your company.

    • https://www-p02.intacct.com/ia/acct/sso_response.phtml

    • https://www-p03.intacct.com/ia/acct/sso_response.phtml

    • https://www-p04.intacct.com/ia/acct/sso_response.phtml

    • https://www-p05.intacct.com/ia/acct/sso_response.phtml

    • https://www-p06.intacct.com/ia/acct/sso_response.phtml

    • https://www-p07.intacct.com/ia/acct/sso_response.phtml

    • https://www-p103.intacct.com/ia/acct/sso_response.phtml

    • https://www-p104.intacct.com/ia/acct/sso_response.phtml

    • https://www-p105.intacct.com/ia/acct/sso_response.phtml

    • https://www-p107.intacct.com/ia/acct/sso_response.phtml

    • https://www-p404.intacct.com/ia/acct/sso_response.phtml

    • https://www-p504.intacct.com/ia/acct/sso_response.phtml

  5. Save your changes.

Entra ID attribute mappings

To allow Intacct to identify your company and users during authentication, you must configure attribute mappings.

  1. In Entra, go to Single sign-on > Attributes & Claims and select Edit.

  2. Configure the following values:

    Attribute name Source attribute
    Company Name Company ID
    name <User ID>

  3. Remove any default additional claims that are not required.

  4. Save your changes.

The <User ID> value must match the User ID defined for each user in Intacct. This value is used as the Federated SSO user ID when you enable SSO for individual users.