SSO AuthenticationSAML 2.0
Microsoft Entra ID
Configure Microsoft Entra ID (formerly Azure AD) as a SAML 2.0 identity provider for Safeguard.
Microsoft Entra ID
- In the Microsoft Entra admin center, go to Enterprise applications → New application → Create your own application, choose "Integrate any other application you don't find in the gallery," and create it.
- Open the app, go to Single sign-on → SAML.
- Edit Basic SAML Configuration:
- Identifier (Entity ID): the SP Entity ID Safeguard shows after Save
- Reply URL (ACS URL): the ACS URL Safeguard shows after Save
- Set the Unique User Identifier (Name ID) to
user.mail— Entra's out-of-box default isuser.userprincipalname, which isn't always the same as the user's email address. - Under Attributes & Claims, also add or rename a claim so its Name is exactly
email, mapped touser.mail(required) — Entra's default claim set uses full claim-type URIs, not this short name, and Safeguard needs the literalemailattribute separate from the Name ID above. - Under SAML Certificates, copy the Login URL, Microsoft Entra Identifier (Entity ID), and download the Certificate (Base64), or copy the App Federation Metadata URL if you'd rather import metadata directly.
- In Safeguard, click Add Provider → SAML 2.0 → Microsoft Entra ID, and enter the Login URL, Entra Identifier, and certificate contents from step 6.
- Back in Entra, go to Users and groups and assign the users/groups who should have access.
- Click Test in Safeguard to confirm.
Common errors: an AADSTS50105 "user not assigned to a role" error means you skipped assigning users/groups in step 8. An AADSTS75011 reply URL mismatch means the Reply URL doesn't exactly match the Callback URL (check for a trailing slash). If you pasted individual values instead of importing the metadata URL, Entra's signing certificate rotates periodically — re-sync it in Safeguard when Entra warns about upcoming rotation.