| **Field** | **Details** |
| Document Type | How-To Guide: SSO Integration |
| Applies To | Microsoft Entra ID, Any SAML 2.0-compatible SaaS or Third-Party Application |
| Audience | 2nd Line / Systems Administrator / IT Engineer |
| Author | AK. Udofeh |
| Last Updated | March 2026 |
| **Check** | **Where** |
| You have Global Administrator or Application Administrator rights in Entra ID | Entra ID > Roles and Administrators |
| The target application supports SAML 2.0 (not only OIDC) | Application vendor documentation |
| You have the application's ACS URL, Entity ID, and SLO URL | Application vendor documentation or SP metadata XML |
| Outbound HTTPS (port 443) from the application server to login.microsoftonline.com is permitted | Firewall / network policy |
| You have admin access to the application's configuration | Application admin console or hosting environment |
For SAML SSO, configuration is done through Enterprise Applications, not App Registrations. An App Registration is created automatically in the background.
- - Navigate to [portal.azure.com](https://portal.azure.com/) > Entra ID > Enterprise Applications > New application. - Click Create your own application. - Enter a display name (e.g. AppName SAML SSO). - Select "Integrate any other application you don't find in the gallery". - Click Create.You will be taken to the application overview page.
Step 2: Configure SAML Settings - Inside the Enterprise Application, go to Single Sign-On > SAML. - Click Edit on the Basic SAML Configuration panel. - Fill in the following fields using values from your application's documentation or SP metadata:Identifier (Entity ID)\*: [https://app.yourdomain.com/saml/metadata](https://app.yourdomain.com/saml/metadata) (this is a Unique URI that identifies the Service Provider) Reply URL (Assertion Consumer Service URL)\*: [https://app.yourdomain.com/saml/acs](https://app.yourdomain.com/saml/acs)(this is where Entra ID posts the signed SAML assertion) Sign-on URL (optional): [https://app.yourdomain.com/login](https://app.yourdomain.com/login) (SP-initiated login entry point) Logout URL (optional): [https://app.yourdomain.com/saml/sls](https://app.yourdomain.com/saml/sls) (SP's Single Logout endpoint)If the application provides a metadata XML URL (e.g. [https://app.yourdomain.com/saml/metadata](https://app.yourdomain.com/saml/metadata)), Entra can import these values automatically — click Upload metadata file at the top of the Basic SAML Configuration panel.
Click Save.
**Step 3: Download the Entra Signing Certificate** - Still in the SAML configuration view, scroll to Section 3 > SAML Certificates. - Download Certificate (Base64) > this produces a .cer or .pem file. - Open the file in a text editor. The content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the base64-encoded certificate value you will need for the application.Store a copy of this certificate securely. If Entra's signing certificate is rotated (e.g. on expiry), the application will fail to validate assertions until the new certificate is imported.
**Step 4: Collect IdP Configuration Values** In the SAML configuration page, note the following values in the "Set up <app name>":| Value | Description |
| Login URL | Entra's SAML SSO endpoint - set as the IdP SSO URL in the application |
| Logout URL | Entra's SAML SLO endpoint - set as the IdP SLO URL in the application |
| Entra ID Identifier | Entra's Entity ID - set as the IdP Entity ID in the application |
| Certificate (Base64) | Signing certificate from Step 3 - used by the application to validate assertions |
| **Claim Name** | **Value** |
| emailaddress | user.mail |
| givenname | user.givenname |
| surname | user.surname |
| name | user.userprincipalname |
By default, Entra sends group Object IDs (GUIDs) in the group claim, not display names. Configure the application's role mapping to use Object IDs, or change the group claim's source attribute to display names if supported.
**Step 6: Restrict Access via Enterprise Application (Recommended)** - In the Enterprise Application, go to Properties. - Set "Assignment required?" to Yes > Save. - Go to Users and groups > Add user/group > assign the relevant users or Entra security groups.Only assigned users will be permitted to authenticate via SAML SSO. Unassigned users receive an Entra-side access denied error before reaching the application.
**Step 7: Configure the Application** In the Service Provider application, enter the values collected in Step 4 into the application's SAML configuration. The exact setting names vary per application - refer to the application vendor's SAML documentation. The standard SAML parameters are:| Application Setting | Value to Enter |
| IdP Entity ID | Entra ID Identifier from Step 4 |
| IdP SSO URL | Login URL from Step 4 |
| IdP SLO URL | Logout URL from Step 4 |
| IdP X.509 Certificate | Certificate base64 content from Step 3 |
| SP Entity ID | Must match the Identifier (Entity ID) entered in Entra Step 2 |
| ACS URL | Must match the Reply URL entered in Entra Step 2 |
| Name ID Format | emailAddress or persistent - check application documentation |
| Binding | HTTP-POST for ACS; HTTP-Redirect for AuthnRequest |
Entra signing certificates expire every 3 years by default. Set a calendar reminder 60 days before expiry to plan a rotation window.
**Single Logout (SLO) does not work - user remains signed in to Entra after signing out of the application** **Cause:** The SLO URL is not configured in either Entra or the application, or the binding types do not match. **Resolution:** - Confirm the Logout URL field in Entra's Basic SAML Configuration points to the application's SLO endpoint. - Confirm the application's IdP SLO URL is set to the Logout URL shown in Entra Section 4. - Entra uses HTTP Redirect binding for logout requests - confirm the application's SLO endpoint accepts GET/Redirect binding, not only POST. **User authenticates successfully in Entra but receives an error or no access in the application** **Cause:** The SAML assertion was accepted, but the user account was provisioned with no role or permissions in the application. **Resolution:** - Log in to the application as an administrator. - Assign an appropriate role to the SSO-provisioned user account. - To automate this for future users, configure a default role for SSO-registered accounts, or implement group-to-role mapping using the group claim configured in Step 6. **Attribute claims are empty or not recognised by the application** **Cause:** The attribute claim names sent by Entra do not match the names the application is expecting. **Resolution:** - In Entra → Enterprise Application > Attributes & Claims, note the full claim URI names being sent (e.g. [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)). - Cross-reference these with the application's expected attribute names from the vendor documentation. - Either rename claims in Entra to match the application, or update the application's attribute mapping to match Entra's output. - Use a SAML tracer browser extension or the application's debug mode to inspect the raw assertion during a test login. **Expected Outcome**| **Factor** | **Detail** |
| Resolution Time | 45–90 minutes for initial configuration; additional time if attribute mapping requires investigation |
| User Impact | Zero - SAML SSO is additive; existing local accounts remain functional during migration |
| Recurrence Risk | Low - primary recurring issue is Entra signing certificate expiry (every 3 years by default) |
| Ongoing Maintenance | Rotate Entra signing certificate before expiry; manage user access via Enterprise Application assignments |