SSO and SCIM for Krisp Organizations: Microsoft Entra ID

Who can use this feature?

Plan: Call Center AI
Managed from: Krisp Admin Portal
User type: Admin
Other: IdP account admin privileges

Krisp Organizations support single sign-on (SSO) and SCIM user provisioning through your identity provider. This guide walks Admins through configuring SAML SSO with Microsoft Entra ID (formerly Azure Active Directory), testing it, enabling SCIM provisioning, and mapping your Entra groups to Krisp teams.

Set this up in order: configure and verify SSO first, then enable SCIM provisioning, then map your teams. SCIM provisioning should be enabled only after SSO sign-in works.

  Hint

Setting up SSO and SCIM for a single team instead of an Organization? See Set up Krisp SSO and SCIM for a single team with Microsoft Entra ID.

Start the SSO setup in the Krisp Admin Portal

  1. In the Krisp Admin Portal, go to Policies >>> Set Org-level Single Sign-On (SSO) policy
  2. Open the Set up SSO sidebar and keep it open. You will copy values from it into Entra, and paste Entra values back into it later.

Create the Krisp application in Microsoft Entra ID

  1. In Microsoft Entra ID, go to Enterprise applications >>> Create a new application
  2. Select Create your own application
  3. Choose the Integrate any other application you don't find in the gallery (Non-gallery) option, then create the application.

Configure single sign-on in Entra

Open the application you just created, then assign access and set up SAML SSO.

  1. Assign the groups that should have access to Krisp
  2. Set up single sign-on using the field mapping below.

  Important

If you need to adjust groups and users, do so from the Default Directory before you enable SCIM provisioning. This ensures users show up in the correct IdP groups once provisioning runs.

Map the Entra SSO fields to your Krisp values as follows:

Entra field Value to enter (from Krisp)
Identifier (Entity ID) Your team slug
Sign on URL (optional) Single Sign-on URL
Reply URL (Assertion Consumer Service URL) Reply URL (Assertion Consumer Service URL)

 

In Attributes & Claims, add a new claim with these values:

  • Name: Email
  • Source: Attribute
  • Source attribute: user.mail


Then add a group claim so Krisp receives each user's group membership. Click Add a group claim and set:

  • Which groups associated with the user should be returned in the claim? Groups assigned to the application
  • Source attribute: Cloud-only group display names
  • Under Advanced options, set Name to groups. 

This adds a claim named groups with the value user.groups.

Complete the SSO configuration in Krisp

Return to the Set up SSO sidebar in the Krisp Admin Portal and fill in the following fields with values from Entra:

Krisp field Value to enter
Audience URI Your team slug
Identity provider Single Sign-On URL Login URL (from Entra)
Identity provider issuer Your team slug
X.509 certificate Certificate (Base64) (from Entra)

 

Enable SCIM provisioning

  Important

Enable SCIM provisioning only after you have verified that SSO sign-in works.

  1. In the Enterprise applications page for Krisp in Entra, go to Provisioning, click New configuration or Connect your application, and set the authentication method to Bearer authentication.
  2. In the Krisp Single Sign-On sidebar, enable the SCIM Configuration toggle and copy the SCIM Endpoint
  3. Paste the endpoint into Tenant URL in Entra
  4. Copy the SCIM token from the Krisp Admin Portal and paste it into Secret Token in Entra
  5. Select Test Connection and confirm it succeeds
  6. Save, open the Provisioning tab, and set Provisioning status to On.

  Info

After you turn provisioning on, allow the current cycle to finish before expecting groups to appear in Krisp. Track progress on the application Overview section under Current cycle status, where you can also manually start or restart provisioning and see provisioning details. Provisioning runs on a recurring cycle, so changes can take some time to sync.

Provision users on demand

To provision specific users or groups right away without waiting for the next cycle, use provision on demand.

  1. In the Krisp application in Entra, go to Provision on demand.
  2. In Select a user or group, search for the user or group you want to provision.
  3. Click Provision. For a group, you can provision up to 5 members at a time.

Map Krisp teams to IdP groups

Once provisioning is running, assign your Entra groups to the Krisp teams that should receive them.

  1. In the Krisp Admin Portal, go to Policies >>> Set Org-level Single Sign-On (SSO) policy
  2. Click Manage Mappings
  3. Click Add team and add the Krisp teams you want to assign groups to
  4. For each team, click the IdP Groups row, search for the group, and assign it.

 

  Info

The users will not need to accept invitations separately. Users who are not part of any IdP group will appear under Ungrouped users.

Once users are provisioned into their mapped teams, each user needs to:

Manage unmapped groups and users

If you see a warning about unmapped groups or users, download a CSV of their addresses to check their details in Entra and confirm whether they are tied to a group. From this view you can also assign or unassign IdP groups, which helps you manage your seats accordingly.

Set the Org-level SSO policy

When your configuration and team mappings are ready, set the policy on the Set Org-level Single Sign-On (SSO) policy page. The policy applies only to the teams selected in SSO mapping. Depending on your selection:

  • Off: Org-level SSO becomes unavailable.
  • Enabled: users can authenticate with SSO, and email authentication remains available.
  • Enforced: all users, including Admins, must use SSO authentication only.

  Important

You can set the policy to Enforced only if at least one Org Admin is currently signed in via SSO. This prevents Admins from being locked out. Enabling Org-level SSO automatically disables team-level SSO for the mapped teams.

If SSO or SCIM errors occur

If sign-in or provisioning fails, collect the details below and send them to the Krisp team so we can investigate:

  • SSO sign-in errors: capture the SAML assertion. If your users see an error while signing in, also share a network log file that captures the error.
  • SCIM provisioning errors: in Entra, go to Monitor >>> Provisioning logs and export the logs covering the time the error occurred.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful