Sapling - Microsoft Entra ID Integration Guide

Simplify User Sign-On

• Users can log directly into Sapling using Entra ID SSO
• Users will be able to log in using Entra ID SSO as long as their user emails in Entra ID and Sapling match

Create Users (optional)

• When onboarding a new hire in Sapling, you'll have the option to automatically provision an Entra ID account for them and share their credentials on a specified date/time
  • When the user provisioning slider is enabled, we will validate the Company Email to ensure it matches the Microsoft subdomain specified under the integration settings - check out the Setting Up the Integration section for guidance

• When you're done onboarding the new hire, they will immediately be created in Entra ID with their personal information and job details

• Once created in Entra ID, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly (if not already scheduled) - they can do so manually, or automatically via dynamic rules in Entra ID

• Check out this article for more information on onboarding new hires in Sapling

• Check out the Supported Fields section for what fields are synced from Sapling to Entra ID for user creation

Update User Attributes (optional)

• When a user profile is updated in Sapling, the corresponding user profile will immediately be updated in Entra ID

• Please note that this is only supported for Sapling users who were created in Entra ID via this integration

• For all other Sapling users, your IT team will need to manually update them in Entra ID - they can do so individually, or via bulk upload in Entra ID

• Check out the Supported Fields section for what fields are synced from Sapling to Entra ID for user updates

Deactivate Users (optional)

• When a user is offboarded in Sapling, the corresponding user in Entra ID will automatically be deactivated once the Sapling Access Cutoff date (specified during offboarding) is reached

• Please note that this is only supported for Sapling users who were created in Entra ID via this integration

• For all other Sapling users, your IT team will need to manually deactivate them in Entra ID - they can do so individually, or via bulk upload in Entra ID

• Check out this article for more information on offboarding users in Sapling

Admin Permissions Required

To enable the Entra ID integration, you'll need a Super Admin role in Sapling and both an Application Administrator and User Administrator roles in Entra ID. The Applicant Administrator role is needed to authorize the integration, and the User Administrator role is needed to use the integration (for creating/updating users). If needed, you can remove the Applicant Administrator role from your Entra ID profile after authorizing the integration - but you'll need to retain the User Administrator role to keep the integration working (for creating/updating users). 

User Creation and Syncing Limitations

Sapling can only auto-create Entra ID accounts for new hires that are onboarded after the integration is enabled. Additionally, user updates and deactivations will only be synced from Sapling to Entra ID for users who were created in Entra ID via this integration.

For all other Sapling users, you'll need to manage their user updates and deactivations in Entra ID manually. You can do so individually, or via bulk upload in Entra ID. 

All users will be able to log directly into Sapling using Entra ID SSO as long as their user emails in Entra ID and Sapling match - regardless of how their Entra ID accounts were created. 

Part 1: Enable the Entra ID integration and allow for SSO sign-ins in Sapling

1. Under Administration Tools, navigate to Integrations
2. Scroll down to find the Entra ID integration and enable the integration slider
3. Enter your Microsoft subdomain
4. If you'd like for new hires to be created and/or user attributes to be updated in Entra ID, enable the appropriate sliders below and click "Next" - leave both sliders disabled if you only want Entra ID SSO
5. Click "Connect" to sign into your Entra ID admin account and grant the necessary consent - you'll need at least a User Administrator role for the consent to be valid
6. Once redirected back to the Integrations page in Sapling, relaunch the Entra ID integration widget by clicking "Settings"
7. Click "Next" and "Activate" to complete the integration
8. Under Administration Tools, navigate to Platform Settings
9. Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"

Kallidus is continually expanding the number of fields that sync between Sapling and Entra ID.

• Supported fields for this integration

Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time. 

Start Date Changes

• What happens if the new hire's start date changes?
  Since Sapling provisions the account and schedules the email notification at the time of onboarding, any subsequent changes are not updated between Sapling and Entra ID. As such, all start date changes must be manually updated in Entra ID.
  
  If the new start date is earlier than the previous start date, Entra ID Admin would need to manually reset the password for the new hire and share it with them. The new hire can then ignore the automated password email notification being sent by Sapling based on the originally scheduled date/time. 
  
  If the new start date is later than the previous start date, to delay a new hire's access to their Entra ID account, you can consider temporarily disabling/suspending the account and restoring it when the new start date is reached. 

Field Name Matching

• For the fields to sync correctly, the naming conventions must match between Sapling and Entra ID for both the fields names and field values (for dropdown fields)

Want to build your own custom integration? Check out the publicly available resources below:

• Sapling API

• Sapling Webhooks

• Microsoft Entra ID API