> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID and SAML

<Note>This document covers step two of the [Single sign-on (SSO) setup](/docs/administration/single-sign-on) process, and shouldn't be completed independently.</Note>

1. Log in to the [Microsoft Azure](https://portal.azure.com/#home) portal, and click **Microsoft Entra ID**.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-01.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=c1a775c30beeff9a7b2fbed4749b0421" alt="Microsoft Entra ID" width="1046" height="734" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-01.png" />

2. At the top of the **Overview** page, click the **Add** menu, and select **Enterprise application**.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-02.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=33bd67ccf1cdab13eabf6d32739017fe" alt="Enterprise application" width="1430" height="844" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-02.png" />

3. At the top of **Browse Microsoft Entra Gallery**, click **Create your own application**.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-03.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=4a2ce3563087631fe60cf82f5bcb47d1" alt="Create application" width="996" height="834" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-03.png" />

4. Enter a name for the application, such as `{maia}`, and select the **Integrate any other application you don't find in the gallery (Non-gallery)** radio button.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-04.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=537fafee140257ab2bf1e7ddbf4adbe8" alt="Radio button selection" width="1120" height="802" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-04.png" />

5. Expand the **Manage** section on the left, and click **Single sign-on**.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-05.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=65ff625116a039b772ef36e87090440d" alt="Manage single sign-on" width="1132" height="660" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-05.png" />

6. Click the **SAML** tile to select SAML as the single sign-on method.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-06.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=e3c0534970355b471513b4abd6509eba" alt="SAML tile" width="1418" height="514" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-06.png" />

7. Click the **Edit** button on the **Basic SAML Configuration** card.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-07.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=b43ea15af25585517d98c14590428689" alt="Edit Basic SAML Configuration" width="1058" height="824" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-07.png" />

8. Enter the following, and click **Save**:

   * **Identifier:** `urn:auth0:matillion:[domain]-saml` replacing `[domain]` with your primary email domain, and converting any special characters to dashes. For instance `example.com` would become `urn:auth0:matillion:example-com-saml`.
   * **Reply URL:** `https://id.matillion.com/login/callback`.
   * **Sign on URL:** `https://app.matillion.com`.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-08.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=7e157b47b03d094ddcecebe1d23f000f" alt="Basic SAML Configuration settings" width="1290" height="1376" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-08.png" />

   <Note>The **Relay State** will be provided by {maia} later, and will be added here before testing. No other configuration should be changed at that stage.</Note>

9. Click the **Edit** button on the **User Attributes & Claims** card.

   <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-09.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=2d839a2ddfe6255972d2837007579337" alt="Attributes & Claims selection" width="1258" height="850" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-09.png" />

10. Under **Claim name**, click anywhere in the **Unique User Identifier (Name ID)** row, except the **…** menu, to edit it.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-10.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=285c0baccdcf29474c3222e07d5d10cc" alt="Claim name" width="1498" height="752" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-10.png" />

11. Change the claim to something unique and immutable for each user, such as **user.employeeid**, and click **Save**.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-11.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=e726ba8a959ccb6fb0b8e3c96366137e" alt="Manage claim" width="1498" height="926" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-11.png" />

    <Warning>
      The default value, `user.principalname`, is typically an email address and shouldn't be used. The value selected here is used internally by the identity provider (as the sub claim) to uniquely identify users. It's never visible in either system, and regardless of this setting, users will always sign in using their email address.

      Leaving the default value in place can cause issues if it changes in the future. In that case, {maia} would treat the user as a new account, resulting in the loss of the original user profile.

      Any value that is both unique to each user and guaranteed not to change can be used. Because each setup is different, Matillion cannot provide guidance on creating a unique claim in Entra ID. However, the exact value being sent can be verified during the testing phase, before the configuration is activated and affects user logins.
    </Warning>

12. At the top of **Attributes & Claims**, click **Add new claim**.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-12.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=65aaf96b6b0b02a7695e9f156148b224" alt="Add new claim" width="1042" height="760" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-12.png" />

13. Set the **Name** of the claim to **email\_verified**, type the word "true" in the **Source attribute** box, then select **true** from the drop-down, and click **Save**. This ensures that users aren't prompted to verify their email address with {maia}.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-13.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=c2ce83722a3d25be64af7e08e0f0cc9e" alt="Manage claim settings" width="1498" height="926" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-13.png" />

14. Click the browser back button twice to return to the **Single sign-on** page.

15. Click **Download** on the **Certificate (Base64)** row of the **SAML Certificates** card, and save it somewhere you can refer to later.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-14.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=03da64202c1ff5df9d0e4af5deecb2ce" alt="Download certificate" width="1430" height="812" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-14.png" />

16. Copy and make a note of the **Login URL** from the **Set up \[Application name]** card.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-15.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=bc2214342e2eb722393e259f6c4859fb" alt="Copy Login URL" width="1428" height="838" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-15.png" />

17. Select **User and groups** from the menu on the left, and at the top, click **Add user/group**.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-16.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=398acf032aa0c8c9ced7f261c323484d" alt="Add user/group" width="1220" height="714" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-16.png" />

18. Click **None selected** in the **Users and groups** section.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-17.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=b33802ed5b28a1706afc061f306ebc86" alt="Select users and groups" width="968" height="536" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-17.png" />

19. Search for and add the users and groups that you want to allow to sign in to {maia}.

    <img src="https://mintcdn.com/matillion/0bH-WuwTaSy4zifJ/images/hub/entra-id-and-saml/entra-id-and-saml-18.png?fit=max&auto=format&n=0bH-WuwTaSy4zifJ&q=85&s=60a54d1eb4f01ffdc28cc92409803c6a" alt="Search and add users" width="1268" height="848" data-path="images/hub/entra-id-and-saml/entra-id-and-saml-18.png" />

20. Continue the steps in [Single sign-on (SSO) setup](/docs/administration/single-sign-on).
