Microsoft Entra ID SSO

Delphina supports single sign-on with Microsoft Entra ID over OIDC. Setup is a short exchange: your Entra admin creates an app registration, and sends a few values back to the Delphina team.

Before you start

Delphina provides you a connection-specific callback (redirect) URI. It looks like:

https://auth.workos.com/sso/oidc/<your-connection-id>/callback

Use the exact URL the Delphina team sends you — it is unique to your organization.

Configure in Entra ID

On a new app registration for the Delphina integration:

Redirect URI — add the callback URI provided by Delphina (platform type: Web).
Optional ID-token claims — add given_name and family_name. These are required: sign-in fails without them. Accept the Microsoft Graph profile permission if prompted.
Client secret — generate one and record its expiry so it can be rotated before it lapses.

Required claims

The ID token must include sub, email, given_name, and family_name. sub and email are sent by default; given_name and family_name come from the optional-claims step above. Confirm your test users have first and last names populated in their directory profiles, or the claims will be empty.

Send back to Delphina

Value	Notes
Client ID	Application (client) ID from the app registration
Client Secret	Send via a secure channel (e.g. 1Password)
Discovery endpoint	`https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration`
Test users	1–5 user emails to whitelist for testing

Test

Once Delphina has wired up the connection, go to Delphina, enter your email, and click Continue with Entra ID. If anything errors, a screenshot of the screen you land on helps the team diagnose quickly.

Provisioning

Users are auto-provisioned on first successful login (JIT) with a default role, which an org admin can adjust afterward. See User Management & Roles.

​Before you start

​Configure in Entra ID

​Required claims

​Send back to Delphina

​Test

​Provisioning