Skip to main content
Jaapi

Identity & SSO

Microsoft Entra ID + Jaapi

Connect Microsoft Entra ID (Azure AD) to Jaapi for enterprise SSO and automated provisioning. Employees sign in with their Microsoft work account, and SCIM 2.0 keeps the store's user list in sync as people join and leave.

Get a demo

Yes, Jaapi integrates with Microsoft Entra ID (formerly Azure AD). Employees sign in to the swag store with their existing Microsoft work account via SAML 2.0, and SCIM 2.0 keeps the store’s user list in sync — accounts are created on hire and deactivated on departure. If your company already runs Microsoft 365, this is usually the fastest integration to stand up.

How does the Microsoft Entra ID integration work?

The integration has two halves that work independently or together. Single sign-on lets employees authenticate with their Entra identity through SAML 2.0 — no separate store password. SCIM provisioning lets Entra push user lifecycle events to the store, so the roster stays current automatically. Entra acts as the identity provider; Jaapi is the application that receives sign-ins and provisioning events.

How do employees sign in?

Both standard SAML flows are supported, and most customers enable both since they share the same Entra configuration:

  • From Microsoft My Apps. Users open myapps.microsoft.com and click your swag store’s tile — Entra posts a signed assertion and they land logged in. This is IdP-initiated and needs no extra setup.
  • From the storefront. Users go to the store’s sign-in page and choose Sign in with SSO, which redirects them to Entra and back. This is SP-initiated.

Sign-in uses the user’s email as the identifier, and optional claims like display name can populate their store profile on first login.

What syncs from Entra to Jaapi?

With SCIM provisioning enabled, the store’s user list mirrors the users assigned to the Jaapi app in Entra:

  • Onboarding. Assigning a user to the app creates their store account.
  • Profile updates. Name and email changes flow through automatically.
  • Offboarding. Unassigning or deactivating a user deactivates their store account, and unspent credit is reclaimed to an admin wallet.
  • Rehires. Reassigned users have their original account reactivated, history intact.

How do I set up Entra ID SSO?

You’ll need the Cloud Application Administrator or Application Administrator role in Entra. The setup takes about ten minutes, plus a short certificate exchange with Jaapi.

  1. In the Microsoft Entra admin center, create a new non-gallery enterprise application for your swag store.
  2. Open Single sign-on → SAML and enter the Identifier, Reply URL (ACS), and Sign-on URL from your store’s setup guide. Set the NameID to the user’s email.
  3. Download the Base64 SAML signing certificate and assign your test user to the app.
  4. Email it to Jaapi along with your store domain and Entra Login URL. We pin the certificate and enable the SSO tile on your storefront.

A full step-by-step walkthrough with your store’s exact URLs lives in your store’s Azure AD setup guide.

Why does the first sign-in fail by design?

Jaapi does not trust any identity provider certificate by default. Your first sign-in attempt is rejected on purpose, and the certificate from that attempt is captured for review. Once we confirm it matches the file you sent, we pin it and your team signs in normally. This deliberate step prevents anyone from impersonating your identity provider during onboarding — part of why Jaapi is ISO 27001:2022 certified with EU-hosted data.

Custom branded tumblers

Ready to unite your global team with hassle-free swag?

Connect your worldwide employees and customers with quality branded items—made on demand and delivered locally. No warehousing headaches. No customs delay.

Get a demo