Skip to main content

Set up Veryfi access with Entra SSO

Entra SSO Integration Guide for Veryfi

Updated today

Welcome to the Veryfi Entra SSO integration guide! This document walks you through connecting your Microsoft Entra ID (formerly Azure AD) with Veryfi to enable Single Sign-On capabilities across your organization.

By implementing this integration, your team members will enjoy a streamlined authentication experience with enhanced security and simplified access management. This step-by-step tutorial will help you configure SAML-based authentication between Microsoft Entra and Veryfi quickly and efficiently, eliminating the need for separate login credentials and reducing password fatigue for your team.

  1. Log in to your Azure account.

  2. Go to Enterprise applications and click New application

  3. Click Create your own application

  4. Give your application an appropriate name like “Veryfi” and click Create

  5. In the application editor, click Set up single sign-on

  6. Select SAML

  7. Log in to your Veryfi account and navigate to Settings and Keys


  8. Click Add SSO Credentials


  9. Return to the Azure SAML configuration panel and copy the following to fields from Azure to Veryfi


  10. Click the Edit button in the Basic SAML configuration section


  11. Set the Identifier (Entity ID) to https://app.veryfi.com and fill the Reply URL (Assertion Consumer Service URL) with the Application Callback URL in Veryfi


  12. Download the Certificate in Base64 from Entra


  13. Open the certificate in a text or code editor. It will be in the following format


  14. Reformat the certificate by removing the “Begin Certificate” and “End Certificate” lines. Remove all new line characters so the certificate is a single line of continuous text


  15. Paste the certificate into the Certificate section in Veryfi


  16. Save both the Entra and Veryfi configuration. Use Entra’s Test this application button to verify SAML authentication is working

Veryfi SSO Self-Debugging Guide

For Okta and Microsoft Entra (Azure AD) setups

Before You Start

SSO is not self-service. It must be enabled on your Veryfi account by the support team before the configuration section appears. If you don't see "Single Sign-On" under Settings > Keys, contact your Veryfi account manager and ask them to enable it first.

Step 1: Setting Up the SAML App in Your IdP

Entra (Azure AD)

These are the exact values you need:

Field

Value

Entity ID (Identifier)

https://app.veryfi.com

Reply URL (Callback URL)

Copy from Veryfi Settings > Keys > Application Callback URL

Sign-on URL

Copy from Veryfi Settings > Keys

The #1 mistake: Adding a trailing slash to the Entity ID. https://app.veryfi.com/ breaks it. No slash.

The Callback URL changes every time you open settings. That's expected. You just need whatever value is shown when you're actively configuring.

Okta

Use the SAML 2.0 app template. The Entity ID and ACS URL come from Veryfi Settings > Keys. Okta users generally hit fewer friction points than Entra users, but the same Entity ID rule applies.

Step 2: Copying the Certificate

This is where most Entra setups break.

When you download the x.509 certificate from Entra, it arrives formatted with line breaks. Veryfi needs it as a single continuous string with no spaces or newline characters.

Before pasting the certificate into Veryfi:

  1. Open the certificate file in a text editor

  2. Remove all line breaks so it's one long string

  3. Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers, just the base64 content

If the certificate has any spaces or line breaks, SSO will appear to save but will fail on login.

Step 3: Testing the Connection

After saving your config in both Veryfi and your IdP, do not try logging in at app.veryfi.com/auth/login/. There is no SSO button on that page. That's expected.

How to log in with SSO:

  • Entra users: Go to your Microsoft MyApplications portal (myapps.microsoft.com) and click the Veryfi app. Your IT team needs to assign users to the app in Entra first.

  • Okta users: Use your Okta dashboard tile.

Direct navigation to the app URL will not trigger SSO.

Step 4: Diagnosing a 500 Error on /saml2/

A POST https://app.veryfi.com/saml2/ 500 (Internal Server Error) on first login has a few possible causes.

Work through these in order:

Check 1: Entity ID Compare the Entity ID in your IdP app against what Veryfi expects. Even a trailing slash causes this error.

Check 2: Certificate formatting Re-check the certificate for spaces or newlines. When in doubt, re-export from your IdP and re-paste.

Check 3: Callback URL mismatch This happens if the SSO config in Veryfi was deleted and recreated after the IdP was configured. The Reply URL in your IdP may point to an old callback URL.

Fix: Go to Veryfi Settings > Keys, note the current Application Callback URL, then update the Reply URL in your IdP to match.

Check 4: It might be on Veryfi's side Some 500 errors are backend bugs unrelated to config. If you've verified all three above, contact Veryfi support with a screenshot and the timestamp of the failed attempt.

Step 5: Setting Up a Second Account (Multi-Account Customers)

If you have two Veryfi accounts (e.g., one for Receipts, one for Invoices) and need SSO on both, set up a separate IdP app for each. The "Add SSO credentials" button has a known bug where it becomes unresponsive when adding a second configuration. If this happens, contact Veryfi support directly to add it on the backend.

What SSO Covers (and What It Doesn't)

SSO applies to the Veryfi Hub/portal only. The Lens SDK uses API key authentication and does not support SSO. If you're building a mobile integration with Lens, your users authenticate with API keys, not via your IdP.

Quick Checklist Before Contacting Support

  • SSO is enabled on my Veryfi account (I can see it in Settings > Keys)

  • Entity ID is https://app.veryfi.com with no trailing slash

  • Certificate is a single string with no spaces or newlines

  • Reply URL in my IdP matches the current Callback URL from Veryfi Settings

  • I'm logging in via MyApps/Okta dashboard, not the Veryfi login page

  • Users are assigned to the app in my IdP

If all of the above are confirmed and login still fails, collect the error message, browser console output, and a timestamp, then open a support ticket, please email [email protected] for personalized assistance.

Access via SSO is not enforced by default, please make sure that it s working as expected before enforcing it as the only possible login method. Refer to this article for more information

Related Articles
API Documentation
Veryfi API Keys
Set up Veryfi access with Okta SSO
Veryfi + Zapier Integration
Enforce SSO Login for Company Users
Did this answer your question?