Revspire Resources

Microsoft (Entra ID) Connection

The Microsoft Entra ID integration connects your <clienta> tenant to SAML-based login.

Purpose

Allow Microsoft Entra-managed users to authenticate to your <clienta> portal using organization SSO policy.

Before you start

  • Admin access to Microsoft Entra (Azure portal).
  • Users/groups ready to assign to the Enterprise Application.
  • In your <clienta> portal, go to Setup > SSO and copy: ACS URL, SP Entity ID, SP Login URL, and SP Logout URL.

Steps

Step 1: Log into Azure/Entra and create the app

  1. Sign in to entra.microsoft.com (or Azure portal).
  2. Go to Microsoft Entra ID > Enterprise applications > New application.
  3. Choose the Gallery app flow for your org, then create/open the application.
  4. Open Single sign-on and choose SAML.

Step 2: Configure Basic SAML settings

  1. Set Identifier (Entity ID) to the SP Entity ID from your <clienta> Setup > SSO page.
  2. Set Reply URL (Assertion Consumer Service URL) to the ACS URL from your <clienta> Setup > SSO page.
  3. Set Sign on URL = blank.
  4. Save.

Step 3: Configure Attributes & Claims

  1. Open Unique User Identifier (Name ID).
  2. Set Source = Attribute.
  3. Set Source attribute = user.mail.
  4. Set Name identifier format = EmailAddress.
  5. Save.

Step 4: Configure SAML Certificates signing

  1. In SAML Certificates, click Edit.
  2. Set Signing Option = Sign SAML response and assertion.
  3. Save.
  4. Download the active Certificate (Base64).

Step 5: Collect Entra IdP values

Copy from Entra app settings:

  • Microsoft Entra Identifier
  • Login URL
  • Certificate (Base64)

Step 6: Add Microsoft provider in your <clienta> portal

  1. Go to Setup > SSO.
  2. Click Add and choose Azure.
  3. Enter:
    • Issuer Entity ID = Microsoft Entra Identifier
    • SSO URL (IdP Login URL) = Login URL
    • X.509 Certificate = Certificate (Base64) you downloaded
  4. (Optional) Set as primary provider.
  5. Save and run a login test.

Troubleshooting

  • Leave Sign on URL blank. If set incorrectly, users may get Cannot GET /sso-login.
  • Use Signing Option = Sign SAML response and assertion. Response-only or assertion-only can cause Invalid document signature.
  • Ensure NameID uses user.mail when users are email-based.
  • Ensure users are assigned in Entra and active in your <clienta> portal.