Guides
StatusPlazaCreate Account
  1. Support
  2. 📊 Buckaroo Plaza
  3. My Buckaroo

SSO Microsoft Entra ID

Overview

This guide walks you through setting up Single Sign-On (SSO) for Buckaroo Plaza using Microsoft Entra ID (formerly Azure Active Directory). The process has three parts:

  • Part 1 — Entra ID: Create an App Registration to get the credentials Plaza needs.

  • Part 2 — Entra ID: Assign which users in your organisation can access Plaza.

  • Part 3 — Plaza: Register your domain, configure OIDC, test, enable SSO, and map users.

ℹ️ Prerequisites: You need (1) Global Administrator or Application Administrator rights in your Entra ID tenant, and (2) admin access to your Buckaroo Plaza merchant account.


Part 1: Create an App Registration in Entra ID

An App Registration tells Entra ID that Plaza is a trusted application your users can sign in to. This is where you create the Client ID and Client Secret that you will enter in Plaza later.

Step 1 — Navigate to App Registrations

Sign in to the Microsoft Entra admin center.

In the left navigation, go to Identity → Applications → App registrations.

Click New registration


Step 2 — Register the Application

  1. Name: Enter a recognisable name, e.g. Buckaroo Plaza SSO.
  2. Supported account types: Select Accounts in this organizational directory only (Single tenant). This ensures only users from your Entra tenant can sign in.
  3. Redirect URI: Select Web as the platform and enter: https://plaza.buckaroo.nl/Login/SsoCallback
  4. Click Register.

Step 3 — Copy the Application (Client) ID

After registration you are taken to the Overview page. Copy the Application (client) ID — you will need this when configuring OIDC in Plaza.


Step 4 — Create a Client Secret

  1. In the left menu, click Certificates & secrets.
  2. Under Client secrets, click New client secret.
  3. Enter a description (e.g. Plaza production) and choose an expiry period. We recommend 24 months.
  4. Click Add. Immediately copy the secret Value (not the Secret ID). You cannot view it again after leaving this page.

ℹ️ Important: Set a calendar reminder to rotate the client secret before it expires. When the secret expires, SSO will stop working until you create a new secret and update it in Plaza.


Step 5 — Determine Your Authority URL

Plaza uses the Authority URL to automatically discover the authorization and token endpoints. For Entra ID, the authority URL follows this format:

https://login.microsoftonline.com/{tenant-id}
Replace {tenant-id} with the Directory (tenant) ID shown on the app registration’s Overview page.

Step 6 — Verify API Permissions

The default permissions are usually sufficient. Verify the following delegated permissions exist under API permissions:

  • openid — allows sign-in
  • profile — provides the user’s name
  • email — provides the user’s email address

If any are missing, click Add a permission → Microsoft Graph → Delegated permissions, add them, and click Grant admin consent.

You now have the three values you need for Plaza: the Authority URL, Client ID, and Client Secret.


Part 2: Assign Users in Entra ID

When you created the App Registration, Entra ID automatically created a corresponding Enterprise Application. This is where you control which users can sign in to Plaza.


Step 1 — Open the Enterprise Application

  1. In the Entra admin center, go to Identity → Applications → Enterprise applications.
  2. Find your application (Buckaroo Plaza SSO) and click on it.

Step 2 — Enable User Assignment

  1. In the left menu, click Properties.
  2. Set Assignment required? to Yes. This ensures only explicitly assigned users can sign in. If set to No, everyone in your directory has access.
  3. Click Save.

ℹ️ Recommendation: Always keep Assignment required set to Yes for full control over who can access Plaza.


Step 3 — Assign Users or Groups

  1. In the left menu, click Users and groups.
  2. Click Add user/group.
  3. Search for the users or groups to grant access:
  • Individual users — select specific people by name or email.
  • Security groups — assign an entire group at once (recommended).

ℹ️ Tip: Create a dedicated security group (e.g. "Buckaroo Plaza Users") and manage membership there. This is easier than assigning individual users to the app.


Removing Access

To revoke access: go to Enterprise applications → your app → Users and groups, select the user or group, and click Remove. The user will be unable to sign in at their next session.


Part 3: Configure SSO in Plaza

With the Entra side ready, you can now set up SSO entirely from the Plaza interface.


Step 1 — Open the SSO Setup

  1. In Plaza, go to the Merchant menu.
  2. Click Single Sign-On.
  3. Click Setup.

Step 2 — Register and Verify Your Domain

Plaza needs to verify that you own the domain your users will sign in with. You can add one or multiple domains.

  1. Enter your domain (e.g. yourcompany.com) and click Add. Repeat for additional domains if needed.
  2. For each domain, Plaza shows a DNS TXT record you need to create. Add the following record in your DNS provider:
  • Record type -- TXT
  • Host / Name -- _buckaroo-verify
  • Value -- The UUID shown in Plaza (unique per domain)
  1. Once the DNS record has propagated, click Verify in Plaza. The domain status will change to verified.

ℹ️ DNS propagation: It can take a few minutes for the TXT record to become visible. If verification fails, wait a moment and try again.


Step 3 — Configure OIDC

  1. Click Setup OIDC.
  2. Select Microsoft Entra ID as your provider. This pre-fills the standard claim configuration for Entra.
  3. Authority URL: Enter your Entra authority URL:
  1. Client ID: Enter the Application (client) ID from Part 1.
  2. Client Secret: Enter the Client Secret value from Part 1.
  3. Click Save.

Step 4 — Test the SSO Flow

Before enabling SSO for your users, click Test SSO. This initiates a sign-in flow against your Entra tenant to validate that the configuration is correct. You will be redirected to Microsoft’s login page and back to Plaza.

If the test succeeds, you will see a success confirmation. If it fails, review the error message — common causes are an incorrect Authority URL, wrong Client ID, or an expired secret.


Step 5 — Enable SSO

Once the test passes, click Enable SSO to activate Single Sign-On for your merchant account.

Optionally, enable Force SSO. When forced, normal username/password sign-in is disabled for all mapped users. They can only sign in through SSO.


Step 6 — Map Users

Go to the User Mapping page. This is where you link the identities from your identity provider to existing Plaza user accounts.

ℹ️ How user mapping works: In Plaza, the unique login identifier is the username, not the email address. Email addresses can be duplicated across accounts, so Plaza matches on email only when it is unique within your merchant account for a verified domain.

Auto-Map

Click Auto-Map to let Plaza automatically match users. Plaza will map every user whose email address is unique within your merchant account and belongs to one of your verified domains. After auto-mapping, Plaza shows a report of:

  • Successfully mapped users — these are ready to sign in via SSO.
  • Users that could not be mapped — either the email matched multiple Plaza accounts, or no Plaza account was found for that email. These need to be mapped manually.

Manual Mapping

For users that could not be auto-mapped, or if you prefer full control, you can manually assign each identity provider user to a specific Plaza account under your merchant.


Need Help?

If you run into issues during setup, contact Buckaroo support. Include your merchant name and the domain(s) you are trying to configure. Our support team can verify the integration status from our side.

Updated 2 days ago