Single Sign-On (SSO) configuration for Microsoft Azure AD

This document describes the steps required to activate SSO on your CodinGame for Work account using the SAML protocol with Microsoft Azure AD. For the time being, the OAuth2 protocol is not supported.

SSO can also be combined with User Provisioning through the SCIM protocol.

Prerequisites for activating SSO on your CodinGame for Work account:

  • Being on an Enterprise Licence on CodinGame
  • Have admin rights on the CodinGame for Work account.
  • Identify the person on your end who will be able to implement the required configuration changes on your Microsoft Azure AD account, i.e. your system administrator.


  • Account-wide failure to login may occur for your users during the configuration process. Reversing the SSO activation on the account can be done at any time if the configuration fails.
  • At any given time, even while the SSO configuration is active, it is possible for an admin to log into the account using email and password credentials by using one of the following URLs: (US site) (EU site)
  • You may want to test drive the integration on a test CodinGame for Work account first. In that case, contact your account manager to set up this test account.

To activate the SSO configuration on your CodinGame for Work account:

  1. Open a ticket with the support team by sending a request to asking for SSO activation and, possibly, User Provisioning.

  2. The support team will send you back four URL parameters related to SSO:

  • SP Entity ID
  • SP Assertion Consumer URL
  • SP Metadata URL
  • SP Logout URL

  3. And two parameters related to user provisioning if requested:

  • SCIM Base URL
  • SCIM Secret Token

  4. Configure an Enterprise application in Azure AD corresponding to CodinGame for Work:

  • Option: "Create your own application"

  • Option: "Integrate any other application"

  5. Activate SSO with SAML for this application. Edit the Basic SAML Configuration as follows:

  • Identifier (Entity ID) = SP Entity ID (from the CodinGame support team)
  • Reply URL (ACS URL) = SP Assertion Consumer URL (from the CodinGame support team)
  • Leave the other fields empty

   6. Edit the Attribute & Claims and add a new claim:

  • Claim name = User.Email
  • Value = user.userprincipalname

   7. For testing purposes:

  • Add a user to the application in Azure AD. As an alternative you can add a group containing your test user.
  • Invite the same user in your CodinGame for Work account

   8. Send back the following parameters to the CodinGame support team:

  • Certificate (Base64)
  • Login URL
  • Azure AD Identifier
  • Logout URL

   9. Contact support to set up a meeting between one of our engineers and your system admin. During the meeting, CodinGame will          activate SSO on your account and you will be able to check that the test user can connect through SSO. Any final adjustments can be made in real time during this call.

   10. From now on, any user added to both the Azure AD application and the CodinGame for Work account will be authenticated through Azure AD.

As adding users on both sides can be cumbersome and counterproductive, you may want to activate User provisioning as well on your Azure AD instance.

Adding User Provisioning

Once SSO has been activated, User Provisioning can be turned on using the SCIM protocol:

  1. From the Azure AD application, select "Provisioning":

  • Select Automatic Provisioning Mode

  • Add the following parameters:
    • Tenant URL = SCIM Base URL (from the CodinGame support team)
    • Secret Token = SCIM Secret Token (from the CodinGame support team)

  • The "Test Connection" action should be working correctly at this point.

  2. Edit the provisioning Mappings:

  • For "Provision Azure Active Directory Groups", keep the default values:
    • Enabled: Yes
    • Target Object Actions: Create, Update, Delete
    • Attribute Mappings: display
    • Name, members
  • For "Provision Azure Active Directory Users", update the Attribute Mappings:
    • Enabled: Yes
    • Target Object Actions: Create, Update, Delete
    • Attribute Mappings:
        • userPrincipalName = userName (i.e. the login email)
        • Switch([IsSoftDeleted]...) = active
        • givenName = name.givenName
        • surname = name.familyName

        Delete all other attributes, especially onces with filters like addresses[type eq \"work\"] that are not compatible with our solution

  3. Add users and groups to the application:

  • Users added directly will be created with no permissions on your CodinGame for Work Account
  • Groups allow to define a common set of permissions automatically set on the users of that group

  4. From the provisioning menu:

  • Start the provisioning
  • Refresh & wait for “Current cycle status: Initial cycle completed”

  5. Send a final request to support specifying the CodinGame for Work permissions you require for each group attached to the Azure AD application. This can be done during the meeting as well to speed up the process.

  6. From now on users added to your groups will be automatically created in CodinGame for Work with the proper set of permissions.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.