Skip to main content

Setting up SAML for Entra (Azure AD)

Amrit
Updated

In this article, you use the Microsoft Entra admin center to enable single sign-on (SSO) for an enterprise application that you added to your Microsoft Entra tenant. After you configure SSO, your users can sign in by using their Microsoft Entra credentials.
 

Enable single sign-on


To set up SAML SSO:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Entra ID > Enterprise apps > All applications.
  3. Click "New Application"
  4. Create a Custom Enterprise Application for Extraordinary Pay by clicking "Create your own Application". Under "What are you looking to do with your application?", select "Integrate any other application you don't find in the gallery (Non-gallery)".
  5. In the Manage section of the App Menu, select Single sign-on to open the Single sign-on pane for editing. You can also select "Set Up Single Sign On" on the screen you are shown immediately after creating the Application.

  6. On the Single Sign-On page, select SAML to open the SSO configuration page. You will need to input the following pieces of information, depicted below. Note - Entra by default will prepend SAML claims with proprietary namespaces. Our platform is not Entra specific, and will fail to match claims that are prepended with these namespaces. Please remove them to ensure proper claim matching.

     

  7. Take note of the App Federation Metadata Url - You will need to enter this into the customer portal to establish a connection between Extraordinary and Entra.
  8. Next, Navigate to the Customer Portal's settings page. Assuming you have the appropriate permissions within your organization, you will see a SAML Tab which will lead you to a screen resembling the below:
  1. Here, you will need to take note of your Entity ID and the ACS URL These must be entered in Entra, as shown in step 6 above.
  2. Enter your Entra Metadata URL, as shown in step 7 above.
  3. Next, you will need to enter a comma separated list of Home Realm Domains. For example, if you have multiple domains that your organizations users can log in with (marketing.mycompany.com, sales.mycompany.com, support.mycompany.com) and want those users to be able to log in to Extraordinary, you will need to include those domains here. (In the above example, your exact input would be marketing.mycompany.com,sales.mycompany.com,support.mycompany.com)
  4. Sign-On URL is completely optional, and will be unused in self-service setups. You can leave this blank.
  5. In order for users to log in to Extraordinary via the application you've just created, you will need to ensure the Entra User has access to the application. Otherwise, they will receive an error in Entra upon login. This can be done via "Users and Groups" on the left pane, just above "Single Sign On"

Before you confirm, it's best to go back and forth checking between Entra and the above form. You need to make sure that everything lines up exactly. Even small mistakes will prevent login. 

Please note - Entra will offer to test your connection for you. We do not support sign-in requests initiated from outside our platform, so this test will always fail. This is not a bug, nor a login failure. Please sign on from the portals or mobile app, instead.

If: 

  • Your Entity ID is correct in Entra
  • You've entered the ACS URL in Entra
  • You've ensured your SAML attribute mappings look exactly like the example in step 6
  • You're about to supply us with the correct Metadata url
  • You've entered in all of the domains you need to authenticate from

Then you can go ahead and load the setup in the customer portal. If everything is aligned correctly, your users will be moved to SAML SSO. If something went wrong, no worries! Simply reach out to support, and we can help you troubleshoot.

Post-setup, you may optionally request via the support team to have our additional layer of MFA disabled entirely for your organization in favor of only using your own.

Note - Existing user records may not align with your Entra UserPrincipalName, or whatever you are sending as the SAML NameID if you overrode it - If this occurs, profile discovery will fail for those users after they authenticate. We recommend the use of SCIM provisioning and management in order to keep users aligned with your identity platform.

 

 

Related articles

Comments

0 comments

Article is closed for comments.