Microsoft Entra ID
Files.com integrates with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory SSO or Azure AD) for user authentication and provisioning. Single Sign-On lets your users authenticate with their Entra ID password, and lets administrators manage user credentials and privileges in a single location. You can also have more than one Entra ID instance or app connected to your Files.com site.
Files.com supports two protocols for Entra ID authentication: SAML and OAuth. SAML is the recommended protocol. It is more secure and supports automated provisioning for users and groups. OAuth supports authentication only and does not support automated provisioning.
For SAML-based integrations, Files.com supports three provisioning methods: SCIM provisioning, Just-In-Time provisioning, and LDAP provisioning.
SCIM is the recommended method for most environments. Just-In-Time provisioning creates user accounts on first login and works well when group-based provisioning is not required. LDAP provisioning is the recommended method when group-based whitelist or blacklist filters are required, since Entra ID does not include group membership data in its SCIM provisioning requests.
For organizations with on-premises Active Directory or LDAP directories, or for environments where users need to authenticate over FTP, SFTP, WebDAV, or API using their directory password, see LDAP/Active Directory SSO.
Entra ID SSO via SAML
Add Files.com as an application in Entra ID for SAML integration using the steps below.
Adding Files.com in Entra ID for SAML
After logging in to your Entra ID portal as an administrator, navigate to Microsoft Entra ID -> Manage -> Enterprise applications and click the New application button. Click Create your own application. Enter an app name (e.g., Files.com), select Integrate any other application you don't find in the gallery (Non-gallery), and click the Create button.
Under Getting Started, click Set up single sign-on. Under Select a single sign-on method, click SAML. In the Basic SAML Configuration box, click the Edit button.
Complete the form using the following values, and leave other fields at their defaults:
| Field | Value |
|---|---|
| Identifier (Entity ID) | https://app.files.com/saml/metadata |
| Reply URL (Assertion Consumer Service URL) | https://app.files.com/saml/consume |
| Relay State (optional) | [SUBDOMAIN].files.com (Replace [SUBDOMAIN] with your Files.com subdomain). |
| Unique User Identifier | user.userprincipalname (If you populate user.mail in Entra ID, its value must match the user.userprincipalname for all users. See How Files.com Matches Users During SAML Login for details.) |
Click the Save button to apply the changes.
Lastly, copy the App Federation Metadata Url in the SAML Signing Certificate box. You will need this URL when adding Entra ID in Files.com.
Adding Multiple Files.com Apps in Entra ID
You can use the same Entra ID tenant organization with multiple Files.com sites. For example, if you have multiple Files.com sites that represent different brands, a single Entra ID tenant covers all your users.
When adding more than one Files.com app under the same Entra ID tenant organization, Entra ID requires the identifier (Entity ID) to be unique within your organization. Append a unique identifier to the end of the Entity ID URL in Entra ID. For example: https://app.files.com/saml/metadata/unique-id-second-app.
Files.com lets you configure this Unique Identifier (Entity ID) while setting up Entra ID SSO in Files.com.
To integrate multiple Files.com Entra apps that connect to the same Files.com site, consider using Child Sites in Files.com for easier user management. Child Sites maintain distinct authentication settings, handle provisioning and deprovisioning, and organize users without complicating your primary site's configuration. Also consider using the Relay State URL in Entra ID to direct your IdP to the correct site.
Adding Entra ID in Files.com for SAML
Go to the SSO page and select Microsoft Entra ID as the SSO provider, then select Use SAML, and enter the Display Name.
You can connect to a SAML provider in three ways. The right choice depends on your requirements. The Metadata URL is the simplest option because it handles updates automatically, such as certificate renewals or changes to service provider URLs. For example, if Entra ID's certificate expires, the Metadata URL updates automatically, while Metadata XML or Certificate Fingerprint requires manual updates. When automatic updates are not required, Metadata XML works well but requires manual intervention when changes occur. Certificate Fingerprint is the most manual option, giving more control over updates but requiring more effort to manage long-term.
Using Metadata URL
Paste the App Federation Metadata Url you copied from Entra ID into the Metadata URL field.
Using Metadata XML file
To use a metadata XML file to connect to Entra ID via SAML, as an Entra ID administrator, save the content of App Federation Metadata Url to an XML file. In Files.com, select the option Metadata XML file and select the XML file you created from Entra ID.
Using Certificate Fingerprint
To use Certificate Fingerprint to connect to Entra ID via SAML, download the SAML Signing Certificate from the Entra ID application dashboard. To get the certificate and issuer URL, go to the application you created in Entra ID and download the certificate. After the certificate is downloaded to your local machine, run the following command in a terminal to obtain the certificate's fingerprint.
openssl x509 -in [your_cert_file] -noout -sha256 -fingerprint
In Files.com, select the Certificate Fingerprint option and paste the fingerprint you obtained from the command. Paste the Issuer URL you copied from Entra ID. You can use the same URL for the SLO endpoint and the SSO endpoint.
Assigning Users and Groups
After you save the changes, the Entra ID SSO method is available when assigning an authentication method for a user in Files.com, and the Sign in with Entra ID button appears on your site's login page.
Users and groups must be assigned to the Files.com application in Entra ID before they can access it.
We strongly recommend keeping at least one site administrator with the password option as the authentication method, rather than assigning all administrators to SSO. Doing this prevents lockout from Files.com if your IdP or SSO has issues.
How Files.com Matches Users During SAML Login
When a user initiates a SAML login with Entra ID, Entra ID authenticates the user and sends a SAML response to Files.com containing the user's attributes. Files.com reads those attributes to find the matching account.
Each Entra ID user profile has a username field (user.userprincipalname) and an email address field (user.mail). When the email address is set, Entra ID includes it in the SAML response and Files.com uses it to find the matching account by the Files.com username field. Files.com ignores the User Principal Name in this case, even if it would have matched.
When the email address is blank, Entra ID does not include it in the SAML response and Files.com uses the User Principal Name to find the matching account by the Files.com username field instead.
When the value Files.com uses does not match any existing Files.com username, Files.com automatically provisions a new account for the authenticated user. When SCIM provisioning is also active, this creates two accounts for the same user: the newly provisioned account and the original SCIM-provisioned account.
Make sure that Entra ID value for user.userprincipalname and user.mail are same to prevent duplicate user accounts from being created in Files.com.
Entra ID SSO via OAuth
Add Files.com as an application in Entra ID for OAuth integration using the steps below. OAuth is not compatible with SCIM for user and group provisioning.
Adding Files.com in Entra ID for OAuth
After logging in to your Entra ID portal as an administrator, navigate to Microsoft Entra ID -> Manage -> App registrations and click the New registration button.
In the registration form, enter Files.com in the Name field, and enter the Web URL https://app.files.com/login_from_oauth?provider=azure in the Redirect URI field. Keep the supported account type as Accounts in this organizational directory only (Default Directory only - Single tenant).
Click the Register button to complete the registration.
Next, copy both the Application (client) ID and Directory (tenant) ID by clicking the copy icon that appears when hovering your cursor over them, and make a note of these by pasting them into a text/document editor.
Next, to generate a client secret, navigate to Certificates & secrets, and click the New client secret button.
In the dialog that appears, enter a Description and select the Expires option according to your preference.
Click the Add button to generate your client secret.
Next, use the copy icon next to the generated secret Value to copy it, and make a note of it along with your previously copied client and tenant IDs.
Adding Entra ID in Files.com for OAuth
Go to the SSO page and select Microsoft Entra ID as the SSO provider.
In the Add provider form, select the Use OAuth option, enter the Display Name, paste your Directory (tenant) ID copied from Entra ID into the Tenant ID field, paste your Application (client) ID copied from Entra ID into the Client ID field, and paste your Client secret copied from Entra ID into the Client Secret field.
Click the Save button to apply the change.
The Entra ID SSO method is now available when assigning an authentication method for a user in Files.com, and the Sign in with Entra ID button appears on your site's login page.
We strongly recommend keeping at least one site administrator with the password option as the authentication method, rather than assigning all administrators to SSO. Doing this prevents lockout from Files.com if your IdP or SSO has issues.
Provisioning Users Automatically
Entra ID provides three methods for automatically provisioning users: SCIM provisioning, Just-In-Time (JIT) provisioning, and LDAP provisioning.
SCIM provisioning synchronizes user and group data between Entra ID and Files.com, keeping user records consistent and up to date, and is the recommended method for most environments.
JIT provisioning creates user accounts in Files.com at the moment of a user's initial successful login.
LDAP provisioning is an alternative for environments that need group-based whitelist or blacklist filters. Entra ID does not include group membership data in its SCIM User sync, which means those filters cannot function when SCIM is the provisioning source. LDAP provisioning resolves this by reading group membership directly from your LDAP directory, while authentication continues through Entra ID.
SCIM Provisioning
SCIM Provisioning is a standard that automatically provisions your users in Files.com from your Entra ID identity source. SCIM provisioning is only compatible with SAML-based integration, not OAuth. Files.com offers many configuration options for SCIM provisioning, detailed in the Configuration Options section of our SCIM provisioning documentation.
When you enable SCIM provisioning and save your provider configuration, the SCIM Secret Token is generated automatically. Edit your provider to copy the Secret Token and enter it in Entra ID for SCIM provisioning setup.
In your Entra ID portal, navigate to Microsoft Entra ID -> Enterprise Applications -> Files.com. Under the Manage menu, select Provisioning, set the Provisioning Mode to Automatic, enter the SCIM API endpoint URL as https://app.files.com/api/scim, and set the Secret Token to the access token generated above. Click Test Connection and wait for the confirmation message, then click Save to authorize and enable provisioning.
SCIM Token Expiration
The SCIM authentication token expires a year from the date you generated it. Site Administrators receive an alert email from Files.com before your SCIM token expires. You can extend the expiry date of the SCIM provisioning Secret Token in Files.com at any time. Edit your Entra ID provider's settings and enter a new date in the Token Expiration text box, or pick a new date from the date picker, and click Save.
To revoke the current token and get a new one, edit your Entra ID provider's settings and choose the Reset Token option. Save your provider configuration, and a new token is generated and available for you to copy from the Secret Token text box.
User Fields Mapping Between Entra ID and Files.com With SCIM Provisioning
When provisioning a user to Files.com via SCIM, Files.com maps the User Principal Name from Entra ID to the username field in Files.com and the email address from Entra ID to the email field in Files.com. To prevent duplicate accounts during authentication, ensure these values match before enabling SCIM provisioning or SSO.
Files.com combines First Name and Last Name into Full Name. When both are blank, the username is used as Full Name. Display Name and other fields from Entra ID are ignored.
Group Memberships
Entra ID SCIM provisioning runs as two separate operations. The User sync provisions user accounts but carries no group membership data. The Group sync runs independently and provisions group objects along with their member lists, placing users into their assigned groups. Group-based filters do not function with Entra ID SCIM provisioning because they evaluate group membership at User sync time, before that data has arrived.
Just-In-Time (JIT) Provisioning
JIT Provisioning creates user records on Files.com upon a user's first successful login. The method is easier than SCIM, but it has one major limitation when used with Entra ID.
Entra ID communicates Group Names as their Group IDs rather than the actual Group Name. Users are provisioned with a list of groups that appears as UUIDs (long strings of characters). These groups work, but they are not easily understood.
Some customers use our API to retroactively rename those groups, but this is not a clean solution. We strongly recommend SCIM provisioning instead when you need to provision group memberships from Entra ID.
This is a limitation of Entra ID itself, not Files.com. JIT Provisioning works correctly on Files.com for other SAML providers, including Okta, Auth0, and OneLogin.
JIT Provisioning works when your Entra ID users are not members of any groups, or when you disable group provisioning via SAML.
LDAP Provisioning
LDAP provisioning lets you use your LDAP directory as the sync source for user and group provisioning while Entra ID continues to handle authentication. Files.com reads group membership directly from your LDAP directory on an hourly schedule and uses that data to provision and deprovision users and groups in Files.com.
LDAP provisioning is configured directly on your existing Entra ID integration. You do not need to create a separate LDAP integration for provisioning. Both the Entra ID authentication configuration and the LDAP provisioning configuration are managed from the same place.
Use LDAP provisioning when you need group-based whitelist or blacklist filters to control which users are provisioned into Files.com. These filters evaluate group membership data that Entra ID does not include in its SCIM User sync, so they cannot function with SCIM or JIT provisioning. LDAP provisioning provides that group membership data directly.
Use SCIM provisioning instead when group-based filters are not required. SCIM provisioning is real time, simpler to configure, and is the recommended method for most Entra ID environments.
The following fields are required to connect Files.com to your LDAP directory for provisioning:
| Field | Details |
|---|---|
| LDAP Host | The fully qualified domain name (FQDN) or IP address of your LDAP server. You can add a backup host that Files.com uses when the primary host is unreachable. |
| LDAP Server Type | The type of LDAP directory. Supported options are Active Directory and OpenLDAP. |
| LDAP Port | The port used to connect to your LDAP server. |
| Secure Connection | When enabled, Files.com connects using LDAPS, which encrypts communication with SSL/TLS. We recommend enabling this. |
| LDAP Username Field | The LDAP attribute used to match users to Files.com accounts. sAMAccountName is the default. Use userPrincipalName if your organization requires it. |
| LDAP Username | The service account username Files.com uses to connect to your LDAP server. |
| LDAP Password | The password for the LDAP service account. |
| Distinguished Name · Base Search Path | The distinguished name where Files.com starts searching the LDAP directory. For example: CN=Users,DC=mydomain,DC=local. |
| LDAP Domain | The domain suffix appended to usernames in Files.com. For example, mydomain.com creates usernames as user@mydomain.com. |
Files.com offers additional configuration options for LDAP provisioning. This includes group-based whitelist and blacklist filters, including Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning, which work against the LDAP-synced group membership data.
If LDAP provisioning repeatedly fails, Files.com automatically disables LDAP provisioning for that integration. The Entra ID integration remains enabled, so users continue to authenticate through Entra ID without interruption.
For LDAP connection prerequisites, firewall requirements, and troubleshooting, see LDAP/Active Directory SSO.