- Configuring Single Sign-On on Microsoft Entra ID
- 1. Creating an enterprise application
- 2. Configuring attributes and claims
- If a User's First and Last Names are to be Synchronized
- If a User's First and Last Names are not to be Synchronized
- 3. Configuring SAML Coordination
- 4. Configuring user access to an enterprise application
- To give all users access:
- To give specific users access:
Configuring Single Sign-On on Microsoft Entra ID
For Microsoft Entra ID, you can use a directory for SAML configuration. Specify the users and groups to be allowed to use SAML-based login.
- In addition to the SAML-based single sign-on, single sign-on with Microsoft Entra ID also provides OpenID Connect-based single sign-on. OpenID Connect-based single sign-on is easy to configure, and also supports automatic synchronization. Before you configure SAML-based single sign-on, see "How to configure OpenID Connect-base single sign-on".
In "Login Settings" of "Tenant Info", specify "All" or
"Microsoft 365 account".
You will be able to coordinate an account with a Microsoft 365 account in "Initial Login as a General User", "External Service Login Coordination" in "My Account Settings", or Synchronizing IDs.
Configure the account coordination.
You can now log in to this site with your Microsoft 365 account.
1. Creating an enterprise application
Create an enterprise application.
On the left pane, click [Single sign-on], and for
"Select a single sign-on method", click [SAML].
Click [Edit] for "Basic SAML Configuration".
Configure the following settings as shown below:
| Item name on Microsoft Entra ID | Value to be specified |
|---|---|
| Identifier (Entity ID) | Copy the Entity ID from "SAML Coordination Settings" in your "Tenant Information" at this site, and then paste it into this field. |
| Reply URL (Assertion Consumer Service URL) | Copy the Reply URL (Assertion Consumer Service URL) from "SAML Coordination Settings" in your "Tenant Information" at this site, and then paste it into this field. |
| Logout Url (Optional) | Copy the Logout Url from "SAML Coordination Settings" in your "Tenant Information" at this site, and then paste it into this field. |
| Others | (Omissible) |
Click [Save].
Configure attributes and claims.
Proceed to "2. Configuring attributes and claims".
2. Configuring attributes and claims
Click [Edit] for "Attributes & Claims".
Click [Unique User identifier (Name ID)].
From the "Source attribute" drop-down list, select
"user.mail", and then click [Save].
Configure whether or not to synchronize a user's first
and last names.
To synchronize a user's first and last names during single sign-on, proceed to "If a User's First and Last Names are to be Synchronized". For not synchronizing, proceed to "If a User's First and Last Names are not to be synchronized".
If a User's First and Last Names are to be Synchronized
- Check that the following given name and surname claims are configured as additional requests.
| Claim name | Type | Value |
|---|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | SAML | user.givenname |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | SAML | user.surname |
- If they are not configured, click [Add new claim].
Otherwise, proceed to step 3.
- Add the given name as shown in the table below and save it.
| Item name on Microsoft Entra ID | Value |
|---|---|
| Name | givenname |
| Namespace | http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
| Source | Attribute |
| Source attribute | user.givenname |
- Add the surname as shown in the table below and save it.
| Item name on Microsoft Entra ID | Value |
|---|---|
| Name | surname |
| Namespace | http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
| Source | Attribute |
| Source attribute | user.surnname |
- Configure SAML coordination.
Proceed to "3. Configuring SAML Coordination".
If a User's First and Last Names are not to be Synchronized
- Check that the following given name and surname claims are configured as additional requests.
| Claim name | Type | Value |
|---|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | SAML | user.givenname |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | SAML | user.surname |
- If they are configured, delete the settings.
If they are not configured, proceed to the next step.
- Configure SAML coordination.
Proceed to "3. Configuring SAML Coordination".
3. Configuring SAML Coordination
On "SAML Certificates", click [Download] for
"Federation Metadata XML".
Open "SAML Coordination Settings" of your "Tenant Info"
at this site on a different screen of your web browser.
Click [Set as Metadata].
Click [Select File], and then upload the XML file
downloaded on step 1.
After completing step 4, click [Test].
Configure user access to the enterprise application.
Proceed to "4. Configuring user access to an enterprise application".
4. Configuring user access to an enterprise application
Configuring this allows users in the Microsoft Entra ID directory to use SAML-based log in.
To give all users access:
On the left pane, click [Properties].
Set "Assignment required?" to [No], and then click
[Save].
To give specific users access:
On the left pane, click [Users and groups].
Click [Add user/group] to specify the users or group to
which they belong to be allowed to use SAML-based login.
Configure SAML Coordination Settings at this site.