Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

This guide explains how to register an app in Microsoft Entra ID (formerly Azure AD) and connect it to Clarion. Once configured, users who sign in with a mapped email domain are required to authenticate through Microsoft Entra.
Estimated time: 10-15 minutes. You will need Microsoft Entra admin access and access to the Clarion workspace where you want to configure SSO.

Prerequisites

  • Access to the Microsoft Entra admin center with permission to register applications
  • Access to the Clarion workspace settings as a company manager

Register an app in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > App registrations.
  3. Click New registration.
  4. Enter a name (for example, Clarion SSO) and click Register.
  5. On the app overview page, copy the Application (client) ID — you will need this in Clarion.
  6. Note your Directory (tenant) domain shown under Overview (for example, contoso.onmicrosoft.com).

Create a client secret

  1. In your registered app, go to Certificates & secrets.
  2. Click New client secret, enter a description and expiry, then click Add.
  3. Copy the Value immediately — it is shown only once.

Add the SSO connection in Clarion

  1. Open Clarion and go to Settings > Single Sign-On (SSO).
  2. Click Add Connection.
  3. Enter the following values:
    • Tenant Domain — your Microsoft Entra tenant domain, for example contoso.onmicrosoft.com
    • Client ID — the Application (client) ID from your app registration
    • Client Secret — the secret value you copied
    • Email Domain — the email domain whose users will be required to sign in via Entra, for example contoso.com
  4. Click Create Connection.

Verify the connection

After saving:
  • The connection appears in the Microsoft Entra / Azure AD section of the SSO settings page showing the tenant domain, client ID, and mapped email domain.
  • Users who sign up or sign in with the mapped email domain will be redirected to Microsoft Entra for authentication.

Remove a connection

To remove an SSO connection, click the trash icon next to the connection on the SSO settings page and confirm the deletion. Users on the mapped domains will no longer be required to sign in via Microsoft Entra.

Troubleshooting

401 Unauthorized when saving

  • Confirm you are signed in to Clarion with an account that has manager access to the workspace.

The tenant domain is rejected

  • Enter only the domain portion, for example contoso.onmicrosoft.com. Do not include https://.

Users are not redirected to Entra after setup

  • Confirm the Email Domain matches the domain part of the users’ email addresses exactly (for example contoso.com, not contoso.onmicrosoft.com).
  • Allow a few minutes for the connection to propagate after creation.