Overview
This integration allows your users to sign in to Fiddler using their existing Microsoft Entra ID account, without needing a separate Fiddler password. Users are automatically provisioned on their first successful login — no manual invitations required. Entra ID group memberships can be synchronized to Fiddler teams.Prerequisites
Before starting, ensure you have:- Microsoft Entra ID Administrator Access: Permissions to register applications and grant admin consent in your Entra ID tenant.
- Fiddler AuthN Administrator Access: Org Owner role in Fiddler’s AuthN management console.
- Deployment Information: The hostname of your Fiddler deployment, e.g.
idpexample.dev.fiddler.ai. - Entra ID P2 License (cloud-native group sync only): required to emit group display names for cloud-native groups. Not needed for basic SSO or for groups synced from on-premises AD.
Configuring Microsoft Entra ID
https://authn-{base_url}/ui/login/login/externalidp/callbackhttps://authn-{base_url}/idps/callback
{base_url} with your Fiddler deployment host (e.g. idpexample.dev.fiddler.ai).Register the Application
- In the Microsoft Entra admin center, go to Entra ID → App registrations and select New registration.
-
Enter a Name, e.g.
Fiddler IdP Example. - Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
-
Under Redirect URI, select the Web platform and enter the first redirect URI (replace the host with your deployment):
https://authn-idpexample.dev.fiddler.ai/ui/login/login/externalidp/callback. -
Select Register.

Add the Second Redirect URI
- In the registered application, go to Manage → Authentication.
- Under Redirect URI configuration, select Add Redirect URI.
-
Select Web and add the second redirect URI (replace the host with your deployment):
https://authn-idpexample.dev.fiddler.ai/idps/callback. -
Select Configure.

Create a Client Secret
- In the registered application, go to Certificates & secrets. Under Client secrets, select New client secret.
- Add a description, choose an expiry, and select Add.
-
Copy the secret Value immediately — it is shown only once.

Configure API Permissions
- In the registered application, go to API permissions and select Add a permission → Microsoft Graph → Delegated permissions.
-
Select
openid,email,profile,offline_access, andUser.Read, then select Add permissions. -
Select Grant admin consent for Default Directory.

Configure the Token Claims
- In the registered application, go to Token configuration.
-
Select Add optional claim, choose the ID token type, and add
email,given_name, andfamily_name. When prompted, enable the option to turn on the Microsoft Graphemailandprofilepermissions (required for these claims to appear in the token), then select Add.
-
Select Add groups claim, choose Groups assigned to the application, select the ID token, then select Add. Only the ID token is required for Fiddler. By default Entra emits group IDs (GUIDs); to emit the group names that Fiddler maps to teams, complete Enable Group Sync below.

Configuring Fiddler
Fiddler AuthN Console Sign-in
authn-. For example, if your Fiddler base URL is https://idpexample.dev.fiddler.ai then you will access the AuthN management console at https://authn-idpexample.dev.fiddler.ai.
Select Your Organization

Navigate to Identity Providers in Settings

Add a New Microsoft Provider
- Select the Microsoft option in the Add provider section, which brings up the Microsoft Provider form.
-
Note the callback URL shown in the form — it corresponds to the redirect URIs you registered in Entra ID earlier, so no further changes are needed in Entra ID.

Configure the Microsoft Provider in Fiddler
-
In the Microsoft Provider form, enter the following values:
- Enter a name in the Name text box. This name is displayed on the SSO login button on the Fiddler sign-in page, so choose one your users will recognize.
- In the Client ID and Client Secret text boxes, paste those values copied from Entra ID.

Configure Additional Parameters
- Expand the optional section.
-
Ensure the Scopes List includes
openid,profile, andemail. - Under Tenant Type, select Tenant ID and paste your Directory (tenant) ID.
- Ensure the Automatic create and Automatic update checkboxes are selected.
-
Set the Determines whether an identity will be prompted to be linked to an existing account dropdown to Check for existing Username.

Save the Configuration Changes

Activate the Microsoft Entra ID IdP
-
Select your IdP from the list and select the Activate button on the identity provider page.

-
Close the settings and then select Login Behavior and Security from the left nav menu and ensure the External login allowed checkbox is selected.

-
Select the Save button.

Create a Custom Action

- Select the New button in the Scripts section to create a new action script.
- Copy the Microsoft Entra ID Action Script below and paste it into the script text area.
- Enter
setAttributesOnAzureOIDCAuthin the Name text box. - Select the Add button.
Microsoft Entra ID Action ScriptConfigure the Action Trigger

- Select the External Authentication option for the Flow Type dropdown.
- Select the + Add trigger button.
- Select the Post Authentication option for the Trigger Type dropdown.
- Select the setAttributesOnAzureOIDCAuth option for the Actions dropdown.
- Select the Save button.
Set the Organization SSO Authentication Type
-
Go to the Metadata section and select Edit.

-
Select the Add button, then enter the key
fiddler_sso_authentication_typewith the valueSSO:AZURE:OIDC.
- Select the Save button next to the new entry.
Validate the Integration
-
Open your Fiddler URL (e.g.
https://idpexample.dev.fiddler.ai). -
Ensure you see the Fiddler sign-in page and that it displays an SSO login button labeled with the name you configured.

-
Select the button and confirm that the Fiddler application loads.

Enable Group Sync
Fiddler maps identity provider group names (with a configurable prefix) to Fiddler teams and roles — see Mapping AD Groups to Fiddler Teams for the naming convention. By default, Entra ID emits group IDs (GUIDs) in the token, which Fiddler cannot map — so group sync requires emitting group display names.Cloud-native groups
Emitting display names for cloud-native groups requires an Entra ID P2 license.- In Enterprise applications, open your application, go to Users and groups, and assign the users and groups that should be sent to Fiddler. Only groups assigned to the application are returned.
-
In the registered application, go to Manage → Manifest. Download a copy of the manifest first as a backup, then update it:
- Set
groupMembershipClaimstoApplicationGroup. - In
optionalClaims.idToken, set thegroupsclaim’sadditionalPropertiesto["cloud_displayname"]so display names are returned.
- Set
-
Save the manifest.


On-premises-synced groups
For groups synced from on-premises AD, set the groups claim format tosAMAccountName in Token configuration. This requires no manifest change or P2 license.
Getting Help
If sign-in fails, review the Entra ID sign-in logs (Entra ID → Monitoring & health → Sign-in logs) for the failed attempt and its reason. Common Entra error codes:AADSTS50105— the user is not assigned to the application. Assign the user (or their group) to the registered application.AADSTS700016— the application was not found. Verify the Client ID and tenant are correct.AADSTS90094— admin consent is required. Grant admin consent for the API permissions.
Important Notes
- Data Storage: Fiddler stores the following profile attributes from Entra ID: first name, last name, display name, email address, and group memberships (used to map users to Fiddler teams).
- API Access: For programmatic API access, users create an API key from the Credentials tab in Fiddler’s Settings page.
- Single Authentication Method: Users can only authenticate via either SSO or email authentication, not both.
- Client Secret Expiration: Entra ID client secrets expire. Track the expiry date and rotate the secret before it lapses to avoid login outages.
Next Steps
After successful integration:- Train Users: Provide guidance on accessing Fiddler through Microsoft Entra ID SSO.
- Configure Teams: Map your Entra ID groups to Fiddler teams — see Mapping AD Groups to Fiddler Teams.
- Test Group Sync: Verify automatic group synchronization is working as expected.
- Monitor Usage: Review authentication logs and set a reminder for client secret expiration.
