Last updated

Create SAML application with Microsoft Entra ID (Azure)

This guide outlines the steps to create and configure a SAML application in icrosoft Entra ID (Azure), including setup, user assignments, and metadata submission.

Step 1: Create an enterprise app

  1. Go to Azure Portal, open the portal menu and select Enterprise applications.

azure

  1. Click New application.

azure

  1. Click Create your own application.

azure

  1. Provide a name for your app, Select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

azure

Step 2: Basic SAML configuration

  1. In the Overview page, select Set up single sign-on.

okta

  1. Select SAML.

okta

  1. Click Edit.

okta

  1. Paste following values in the appropriate fields and click Save.

okta

okta

Step 3: Assign users

After creating the enterprise application, you should proceed to assign individual users or groups so that they can authenticate using SAML.

  1. Select Users and groups from the left menu.

okta

  1. Click Add user/group.

okta

  1. Click None Selected.

okta

  1. Search for the user or group you wish to add and click Select.

okta

  1. Click Assign.

okta

Step 4: Fill attribute statements (optional)

  1. Under Attributes & Claims (optional), click Edit.

okta

  1. Map the following user attributes:

okta

okta

  1. Add a groups claim for passing user's groups.

okta

okta

  1. Choose whether the groups attribute will be transferred as an ID or as a name and edit the attribute name to be groups.

Group Object ID vs. Group Name in Microsoft Entra

Microsoft Entra by default sends the group's object ID rather than the group name. Group names may not be available for certain types of groups. In such cases, ensure that you map group IDs to roles instead of group names.

  1. When using groups to roles mapping, make sure to map the correct attribute type to application roles on the Manage Authorization step.

okta

Step 5: Upload Identity Provider metadata

The final step for implementing SAML SSO requires sharing your identity provider's metadata with the application.

Automatic configuration

  1. Click on the Single sign-on from the left menu.
  2. Locate App Federation Metadata Url under SAML Signing Certificates.
  3. Select Copy to copy the link, then paste it below.

okta

okta

Manual configuration

  1. Click on the Single sign-on from the left menu.
  2. Download the certificate as Base64 and paste its content into the Public Certificate section.
  3. Copy the Login URL and paste it as the SSO Endpoint.

okta

okta

Example values

The value shown above is just an example. The actual value would be configured by the application manager on the service provider side.

Step 6: Proceed with domain claiming and role assignment

  1. Click on Proceed with domain claiming and role assignment to confirm the completion the configuration of the IDP form.
  2. Follow the instructions in the Self-service SAML configuration guide to complete this step and manage authorization.