## Create SAML application with Microsoft Entra ID (Azure)

This guide outlines the steps to create and configure a SAML application in icrosoft Entra ID (Azure), including setup, user assignments, and metadata submission.

### Step 1: Create an enterprise app

1. Go to Azure Portal, open the portal menu and select **Enterprise applications**.


![azure](/assets/azure-1.b19552e0d53007692ad4df9938c58530e3c607ac60eaf062d29190e4a5d671fd.dba07de7.png)

1. Click **New application**.


![azure](/assets/azure-2.a9e1b847fde8518e4d0d86e015d898b149618d987ed72fe936eaf218811318af.dba07de7.png)

1. Click **Create your own application**.


![azure](/assets/azure-3.a599c42dfbf502c52ebfa08a70cc3d5842149998ca53b18ef81604d4b5d5ccd1.dba07de7.png)

1. Provide a name for your app, Select **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.


![azure](/assets/azure-4.c83f7877b5a362f2d7ed475ab8ee78e9065e9159f8ac11685c20b1c648103b96.dba07de7.png)

### Step 2: Basic SAML configuration

1. In the Overview page, select **Set up single sign-on**.


![okta](/assets/azure-5.d820f36b8e3f0b374423154c49df67fcb160da8078f7ddd8c6a0d0a22f5bb95d.dba07de7.png)

1. Select **SAML**.


![okta](/assets/azure-6.0b17bc0ff8c278d244abd3635fac5faa8a30c7db464b0dd85829aedfbf003c9f.dba07de7.png)

1. Click **Edit**.


![okta](/assets/azure-7.6e093a37643a2d566df785667f1b060129eb1f90d71e47dc11ef747571795c22.dba07de7.png)

1. Paste following values in the appropriate fields and click **Save**.


![okta](/assets/azure-8.bef3e36ef27850f810ae226c1d41bd2eee7704562530d6375ff3d04fd3ceb950.dba07de7.png)

![okta](/assets/azure-9.b896861edc601573fef0cecef2e4188401758553d9075977d6be9b08e9419b18.dba07de7.png)

### Step 3: Assign users

After creating the enterprise application, you should proceed to assign individual users or groups so that they can authenticate using SAML.

1. Select **Users and groups** from the left menu.


![okta](/assets/azure-10.d851fd11b434fe087b304245ac870089d2442faeef492c61da245459c0fba849.dba07de7.png)

1. Click **Add user/group**.


![okta](/assets/azure-11.adfc44085fb8d772e4a495b58edd68d8526bf4a259a068348ff86d0002dcc0dc.dba07de7.png)

1. Click **None Selected**.


![okta](/assets/azure-12.4acd926ff96ac9efe18ccd1530b536fddf3d49c568b8101f16e437d78ef4dfb2.dba07de7.png)

1. Search for the user or group you wish to add and click **Select**.


![okta](/assets/azure-13.a0f93823553314eb19b10bc5df850489cb1af49943656d3a0351838a6f7a4f95.dba07de7.png)

1. Click **Assign**.


![okta](/assets/azure-14.5a2334e6a97c620c6e30f4a67879520bda8b7f2b3425806d314ad9ab7722c001.dba07de7.png)

### Step 4: Fill attribute statements (optional)

1. Under **Attributes & Claims (optional)**, click **Edit**.


![okta](/assets/azure-15.46214d75784f4a238bc0fba5be064b7b85f4ccd60ed7e050228af73f2b287955.dba07de7.png)

1. Map the following user attributes:


![okta](/assets/azure-16.bf1528ec39344f6a1bec968c1de6d2e34d913efd75324f41eb632922a4c0113b.dba07de7.png)

![okta](/assets/azure-17.919bae3e0358583224e12c9c1f912710cdd553f6539854bdf498dbd0807ccd50.dba07de7.png)

1. Add a **groups** claim for passing user's groups.


![okta](/assets/azure-18.185fa25302e0184352fbcadbcae598957c4cb8bf8e0123a57b714302684f2426.dba07de7.png)

![okta](/assets/azure-19.c8c58914a98f92fdfb0a3b2b340a46a3c7ca3de06b412298c576a3e87b1476e5.dba07de7.png)

1. Choose whether the **groups** attribute will be transferred as an ID or as a name and edit the attribute name to be **groups**.


br
Groups limitations
- Microsoft Entra sends group object IDs by default, not group names. Some group types may not have names available. It is recommended to map group IDs to roles instead of group names.
- In some cases user groups will be sent as a link, in that case, please review [this](/ciam/guides/troubleshoot/errors/scim-and-tenant-sso-issues#how-to-extract-user-groups-from-microsoft-entra-link) article for extracting groups.


br
1. When using groups to roles mapping, make sure to map the correct attribute type to application roles on the **Manage Authorization** step.


![okta](/assets/azure-20.3a817af10c560e30be03b4bacae1a0939c235c38040ff6dcb636103815e97bee.dba07de7.png)

### Step 5: Upload Identity Provider metadata

The final step for implementing SAML SSO requires sharing your identity provider's metadata with the application.

#### Automatic configuration

1. Click on the **Single sign-on** from the left menu.
2. Locate **App Federation Metadata Url** under **SAML Signing Certificates**.
3. Select **Copy** to copy the link, then paste it below.


![okta](/assets/azure-21.61c51264503cd81c428f6cc8a6418f7cc17d7e969e3859f9c61d478ed29ca20f.dba07de7.png)

![okta](/assets/azure-22.5fb0418bb2e7b103e163f44a058be57ca2e434462a967d2eef3b8a98c95e1156.dba07de7.png)

#### Manual configuration

1. Click on the **Single sign-on** from the left menu.
2. Download the certificate as **Base64** and paste **its content** into the **Public Certificate** section.
3. Copy the **Login URL** and paste it as the **SSO Endpoint**.


![okta](/assets/azure-23.c5a3a02e282500875b87e8e067577b9068db48996db80402a6fb171c6a330ffc.dba07de7.png)

![okta](/assets/azure-24.cb4a5b614ed416721cf1e7edd5d49d2ab351cfc76b3d8e667cd3d803c7c9bf6f.dba07de7.png)

Example values
The value shown above is just an example. The actual value would be configured by the application manager on the service provider side.

### Step 6: Proceed with domain claiming and role assignment

1. Click on **Proceed with domain claiming and role assignment** to confirm the completion the configuration of the IDP form.
2. Follow the instructions in the [Self-service SAML configuration](/ciam/guides/authentication/sso/self-service/saml#claim-domain) guide to complete this step and manage authorization.